Tel: 020 8456 3550
CISSP: CHAPTER 8
Software Development Security
Objectives
*Software Flaws
*SDLC
*Software Development Methods *Object Oriented Programming *Databases
*Design *Vulnerabilities/Threats *Malicious Code
Software Flaws
Reasons Why Software Lacks Security
Software vendors rush product to market with much emphasis on functionality not on security
A majority of software developers are no security professionals and vice versa
The computing public is used to receiving software with bugs and then apply patches to it
Software vendors have not been subjected to liability for insecure code/products
Programmers are not taught secure coding practices in school
TREND:
Buggy software is released to the market to beat the competition
Hackers find new vulnerabilities in new software
Hacker Websites post vulnerabilities and how to exploit them
Vendor releases patch to fix vulnerabilities
Network administrators and security engineers test and install patches
Vendor develops upgrade and organizations follow suit spending lots of money
Software Development Lifecycle
Where to implement Security?
1.Project Initiation2.Functional Design Analysis and Planning3.System Design Specifications4.Software Development5.Install/Test/Implement6.Operational/Maintenance7.Retirement/Disposal
Project Initiation Decide on conceptual definition of project
Identify security requirements
Perform an initial risk analysis (analyze potential threats)
Identify security framework
Determine service level agreements
Functional Design Analysis Define security requirements
Implement security checkpoints in plan
Develop contingency plans
Generate preliminary security test plans
Ensure formal functional baseline includes security requirements
System Design Specification Define security specification
Update test plans involving security
Security specifications
System design checklist
Formal methods developed
Software Development/Programming Write programming code to meet specifications
Implement security within code
Perform unit test
DOMAIN #4: SOFTWARE DEVELOPMENT SECURITY
Install/Test Test system components
User acceptance testing, data checking, resiliency testing
Install system
Create manuals
Perform acceptance test – i.e. certification and accreditation
System acceptance
DOMAIN #4: SOFTWARE DEVELOPMENT SECURITY
Operational/Maintenance Maintain system through service-level agreement
After changes, recertification may be necessary
Audit and test security components periodically
Retirement/Disposal Properly dispose of system
Move data to another system or discard accordingly
Repeat full cycle with a new project initiation
DOMAIN #4: SOFTWARE DEVELOPMENT SECURITY
Object oriented technology
Non-procedural programming where the emphasis is on data objects and their manipulation instead of processes
Benefits: Modularity (autonomous objects/modules)
Reusability
DOMAIN #4: SOFTWARE DEVELOPMENT SECURITY
2. Object oriented technology Classes – Define attributes, characteristics, and behaviors
Attributes-Descriptors for each class
Objects – collection of attributes for a single instance
Methods – functionality performed by objects
Messages – means of communication by objects
2. Object oriented technology
Inheritance – objects inherit attributes and behaviors from super class
Polymorphism – capability of different objects to respond differently to same message
Cohesion –Singleness of purpose
Coupling – the dependency between modules
Abstraction – Information hiding
DOMAIN #4: SOFTWARE DEVELOPMENT SECURITY
Database Management
Database Management Software
Database Models
Database programming Interfaces
Relational Database Components
Database Integrity
Database Security Issues
Data Warehousing & Data Mining
DOMAIN #4: SOFTWARE DEVELOPMENT SECURITY
Database Models
Hierarchical
Distributed
Object-Oriented
Relational
DOMAIN #4: SOFTWARE DEVELOPMENT SECURITY
Database Models Describes relationships between data elements
Used to represent the conceptual organization of data
Formal methods of representing information
DOMAIN #4: SOFTWARE DEVELOPMENT SECURITY
Columns & Rows
a.k.a. Attributes & Tuples
NameAddressPhone
Hierarchical Stores related information in a tree-like fashion
Info traced from major group to subgroup
Predetermined access paths to data
Data traced through parents (hierarchy)
DOMAIN #4: SOFTWARE DEVELOPMENT SECURITY
Distributed
Client-server type of DB located on more than one server distributed in several locations
Synchronization accomplished via a two-phase commit or replication methods
Data accessible in a single search function despite separate location
DOMAIN #4: SOFTWARE DEVELOPMENT SECURITY
Object-Oriented
Keeps track of objects and entities that contain both data and action on the data
Designed for non-text data such as graphics, video and audio clips
A DB in which the operations carried out on data objects are considered part of their definition
DOMAIN #4: SOFTWARE DEVELOPMENT SECURITY
Relational A DB in the form of tables (rows & columns) related to each other
Stores data in such a way that a data manipulation language can be used independently on data
Uses a database engine (Oracle, Sybase, etc…)
Definitions Primary Key
Foreign Keys
Data dictionary
Metadata (information that describes or augments the main data – it includes details on how to format data for display, processing instructions, or information about how pieces of the data are stored in memory)
View
Cell
Record
File
Schema
Tuple
Attribute
Databases: Vulnerabilities, Threats and Protections Aggregation
Inference
Polyinstantiation
Code Injection
Input validation
DOES THE DATABASE PASS THE ACID TEST?
Atomicity
Consistency
Isolation
Durability
Data Warehousing Meta Data: “data about data” gives the data its meaning/context
Data Marts: Often regional collection of information from databases
Data Warehouse: Collection of information from data marts
Data mining: Process of pulling information from data warehouse by utilizing meta data
*Malicious Software (Malware)
* Adware – Software that automatically displays or downloads advertisements. While not all adware is malicious, many of such areassociated with spyware and other types of malicious software (malware).
* Virus – Malicious code that spreads from a computer to computer via attaching itself to other files. The code executes when the attached fileis opened.
Worms – Malicious code that spreads from computer to computer, within a network, on its own. It ultimately consumes network bandwidth.
Spyware – Is a secretly installed malicious code that is intended to track and report usage of a target system or collect data. Such data may include web browsing history, personal information, user names and passwords, and much more.
MALICIOUS SOFTWARE
CONTINUED
Trojan – Malicious code that masquerades as a harmless file. It usually performs a variety of actions, including key-logging, opening the computer to further attacks, destroying data or files, among others.
Rootkits – Malicious code that is intended to take full or partial control of a system at the lowest level (core or kernel). They often hide themselves from monitoring or detection and modify system files. Most rootkit infections install back trapdoors, spyware, or other malicious codes once they gain control of the target system. Backdoors – Usually created by software developers for an emergency
entry into a system. Example may be a hotkey in the event that a password is not available for access. Obviously can be used by anyone with such knowledge to gain access into the system. A trapdoor is rather created via malicious activity.
SEI-CMMI (Software Engineering Institute – Capability Maturity Model Integrated)
Developed by the Software Engineering Institute of The Carnegie Mellon University in Pittsburgh
Describes the procedures, principles, and practices in better software development processes. Has five maturity models:
Initial
Development based on Ad Hoc effort. No procedures in place and there is no assurance of consistency; thereby affecting software quality.
Repeatable
A formal structure has been developed including quality assurance. However, no formal process models have been defined.
Defined
Formal procedures and defined processes have been put in place for projects.
Managed
Formal processes have been put in place to allow for qualitative data analysis. Metrics are defined for process improvement. Quantitative understanding of quality
Optimized
Integrated plans for continuous process improvement.
8 Software Development SecurityReview
*Software Flaws *SDLC *Software Development Methods *Object Oriented Programming *Databases *Design *Vulnerabilities/Threats *Malicious Code *CMMI