CHAPTER 10_Software Development Security Flashcards
Explanations: Object-Oriented Concepts
Software development used to be done by classic input-processing-output methods. This development used an information flow model from hierarchical information structures. Data were input into a program, and the program passed the data from the beginning to end, performed logical procedures, and returned a result.
Emphasis: System Development Life Cycle
System Development Life CycleA life cycle is a representation of development changes. A person is conceived, born, matures (baby, toddler, teenager, middle age, elderly), and dies. Such is the circle of life. Projects have a life cycle: initiation, planning, execution and controlling, and closure. A system has its own developmental life cycle, which is made up of the following phases: initiation, acquisition/development, implementation, operation/maintenance, and disposal. Collectively these are referred to as a system development life cycle (SDLC). Here are the basic components of each phase:
Emphasis: Authentication and Access Control
Authentication and Access ControlIf you’ve used the Internet for banking, shopping, registering for classes, or working from home, you most likely logged in through a web-based application. From the consumer side or the provider side, the topic of authentication and access control is an obvious issue. Consumers want an access control mechanism that provides the security and privacy they would expect from a trusted entity, but they also don’t want to be too burdened by the process. From the service providers’ perspective, they want to provide the highest amount of security to the consumer that performance, compliance, and cost will allow. So, from both of these perspectives, typically usernames and passwords are still used to control access to most web applications.
Emphasis: Web Application Security Principles
Web Application Security PrinciplesConsidering their exposed nature, web sites are primary targets during an attack. It is, therefore, essential for web developers to abide by the time-honored and time-tested principles to provide the maximum level of deterrence to attackers. Web application security principles are meant to govern programming practices to regulate programming styles and strategically reduce the chances of repeating known software bugs and logical flaws.
Bullets: Development
Programming software code to meet specifications laid out in the design phase
Bullets: V-model
Emphasizes verification and validation at each phase and testing to take place throughout the project, not just at the end.
Bullets: Third-party evaluations
Reviewing the level of service and quality a specific vendor will provide if the system is to be purchased.
Explanation Bullets: A database is the mechanism that provides structure for the data collected. The actual specifications of the structure may be different per database implementation, because different organizations or departments work with different types of data and need to perform diverse functions upon that information. There may be different workloads, relationships between the data, platforms, performance requirements, and security goals. Any type of database should have the following characteristics:
- It centralizes by not having data held on several different servers throughout the network.
- It allows for easier backup procedures.
- It provides transaction persistence.
- It allows for more consistency since all the data are held and maintained in one central location.
- It provides recovery and fault tolerance.
- It allows the sharing of data with multiple users.
- It provides security controls that implement integrity checking, access control, and the necessary level of confidentiality.
Bullets: Parameter validation
The values that are being received by the application are validated to be within defined limits before the server application processes them within the system.
Explanation Bullets: As it pertains to security, the following items should be accomplished in this phase:
- Security requirements
- Security risk assessment
- Privacy risk assessment
- Risk-level acceptance
Explanation Bullets: 17. B. The characteristics and their associated definitions are listed as follows:
- Modularity Autonomous objects, cooperation through exchanges of messages.
- Deferred commitment The internal components of an object can be redefined without changing other parts of the system.
- Reusability Other programs using the same objects.
- Naturalness Object-oriented analysis, design, and modeling map to business needs and solutions.
Bullets: Mobile code
Code that can be transmitted across a network, to be executed by a system or device on the other end.
Bullets: Statement of Work (SOW)
Describes the product and customer requirements. A detailed-oriented SOW will help ensure that these requirements are properly understood and assumptions are not made.
Bullets: Repeatable
A formal management structure, change control, and quality assurance are in place. The company can properly repeat processes throughout each project. The company does not have formal process models defined.
Emphasis: Spyware and Adware
Spyware and AdwareSpyware is a type of malware that is covertly installed on a target computer to gather sensitive information about a victim. The gathered data may be used for malicious activities, e.g., identity theft, spamming fraud, etc. Spyware can also gather information about a victim’s online browsing habits, which are then often used by spammers to send targeted advertisements. It can also be used by an attacker to direct a victim’s computer to perform tasks such as installing software, changing system settings, transfer browsing history, logging key strokes, taking screenshots, etc.
Bullets: Schema
Database structure that is described in a formal language supported by the database management system (DBMS). It is used to describe how data will be organized.
Explanation Bullets: The following list illustrates the basic software programming language generations:
- Generation one: machine language
- Generation two: assembly language
- Generation three: high-level language
- Generation four: very high-level language
- Generation five: natural language
Bullets: Software escrow
Storing of the source code of software with a third-party escrow agent. The software source code is released to the licensee if the licensor (software vendor) files for bankruptcy or fails to maintain and update the software product as promised in the software license agreement.
Bullets: Client-side validation
Input validation is done at the client before it is even sent back to the server to process.
Bullets: Verification
Determines if the product accurately represents and meets the specifications.
Bullets: Probabilistic
Identifies data interdependencies and applies probabilities to their relationships.
Emphasis: tunneling virus
Another type of virus, called the tunneling virus, attempts to install itself “under” the antivirus program. When the antivirus goes around doing its health check on critical files, file sizes, modification dates, and so on, it makes a request to the operating system to gather this information. Now, if the virus can put itself between the antivirus and the operating system, when the antivirus sends out a command (system call) for this type of information, the tunneling virus can intercept this call. Instead of the operating system responding to the request, the tunneling virus responds with information that indicates that everything is fine and healthy and that there is no indication of any type of infection.
Bullets: Security plan
Documented security controls the system must contain to ensure compliance with the company’s security needs. This plan provides a complete description of the system and ties them to key company documents, as in configuration management, test and evaluation plans, system interconnection agreements, security accreditations, etc.
Bullets: Information gathering
Usually the first step in an attacker’s methodology, in which the information gathered may allow an attacker to infer additional information that can be used to compromise systems.
Bullets: Object Linking and Embedding Database (OLE DB)
Separates data into components that run as middleware on a client or server. It provides a low-level interface to link information across different databases, and provides access to data no matter where they are located or how they are formatted. The following are some characteristics of an OLE DB:
Emphasis: parameter validation
The issue of parameter validation is akin to the issue of input validation mentioned earlier. Parameter validation is where the values that are being received by the application are validated to be within defined limits before the server application processes them within the system. The main difference between parameter validation and input validation would have to be whether the application was expecting the user to input a value as opposed to an environment variable that is defined by the application. Attacks in this area deal with manipulating values that the system would assume are beyond the client being able to configure, mainly because there isn’t a mechanism provided in the interface to do so.
Emphasis: Fast flux
NOTE Fast flux is an evasion technique. Botnets can use fast flux functionality to hide the phishing and malware delivery sites they are using. One common method is to rapidly update DNS information to disguise the hosting location of the malicious web sites.
Explanation Bullets: In reality, the flaws within the software cause a majority of the vulnerabilities in the first place. Several reasons explain why perimeter devices are more often considered than dealing with the insecurities within the software:
- In the past, it was not crucial to implement security during the software development stages; thus, many programmers today do not practice these procedures.
- Most security professionals are not software developers, and thus do not have complete insight to software vulnerability issues.
- Many software developers do not have security as a main focus. Functionality is usually considered more important than security.
- Software vendors are trying to get their products to market in the quickest possible time, and thus do not take time for proper security architecture, design, and testing steps.
- The computing community has gotten used to receiving software with flaws and then applying patches. This has become a common and seemingly acceptable practice.
- Customers cannot control the flaws in the software they purchase, so they must depend upon perimeter protection.
Emphasis: Spam Detection
Spam DetectionWe are all pretty tired of receiving emails that try to sell us things we don’t need. A great job, a master’s degree that requires no studying, and a great sex life are all just a click away (and only $19.99!)—as promised by this continual stream of messages. These emails have been given the label spam, which is electronic unsolicited junk email. Along with being a nuisance, spam eats up a lot of network bandwidth and can be the source of spreading malware. Many organizations have spam filters on their mail servers, and users can configure spam rules within their e-mail clients, but just as virus writers always come up with ways to circumvent antivirus software, spammers come up with clever ways of getting around spam filters.
Bullets: Self-garbling virus
Attempts to hide from antivirus software by modifying its own code so that it does not match predefined signatures.
Emphasis: Information Gathering
Information GatheringInformation gathering is usually the first step in an attacker’s methodology. Information gathered may allow an attacker to infer additional information that can be used to compromise systems. Unfortunately, most of the information gathered is from sources that are available to anyone who asks. The big search engines make it even easier for an attacker to gather information because they aggregate information and can return results from the search engine’s cache without the attacker ever connecting to the target company’s web server.
Explanations: Java Platform, Enterprise Edition
Another distributed computing model is based upon the Java programming language, which is the Java Platform, Enterprise Edition (J2EE). Just as the COM and CORBA models were created to allow a modular approach to programming code with the goal of interoperability, J2EE defines a client/server model that is object oriented and platform independent.
Bullets: Polymorphic virus
Produces varied but operational copies of itself. A polymorphic virus may have no parts that remain identical between infections, making it very difficult to detect directly using signatures.
Emphasis: Transaction persistence
NOTE Transaction persistence means the database procedures carrying out transactions are durable and reliable. The state of the database’s security should be the same after a transaction has occurred, and the integrity of the transaction needs to be ensured.
Explanations: Specific Threats for Web Environments
The most common types of vulnerabilities, threats, and complexities are covered in the following sections, which we will explore one at a time:
Emphasis: Service-Oriented Architecture
Service-Oriented ArchitectureWhile many of the previously described distributed computing technologies are still in use, the industry has moved toward and integrated another approach in providing commonly needed application functionality and procedures across various environments. A service-oriented architecture (SOA) provides standardized access to the most needed services to many different applications at one time. Application functionality is separated into distinct units (services) and offered up through well-defined interfaces and data-sharing standardization. This means that individual applications do not need to possess the same redundant code and functionality. The functionality can be offered by an individual entity and then all other applications can just call upon and use the one instance. This is really the crux of all distributed computing technologies and approaches—SOA is just a more web-based approach.
Bullets: Change control
The process of controlling the changes that take place during the life cycle of a system and documenting the necessary change control activities.
Bullets: Database management system (DBMS)
Enforces access control restrictions, provides data integrity and redundancy, and sets up different procedures for data management manipulation.
Bullets: Stealth virus
A virus that hides the modifications it has made. The virus tries to trick antivirus software by intercepting its requests to the operating system and providing false and bogus information.
Bullets: Natural languages
Otherwise known as fifth-generation programming languages, which have the goal to create software that can solve problems by themselves. Used in systems that provide artificial intelligence.
Bullets: Formal risk assessment
Identifies vulnerabilities and threats in the proposed system and the potential risk levels as they pertain to confidentiality, integrity, and availability. This builds upon the initial risk assessment carried out in the previous phase. The results of this assessment help the team build the system’s security plan.
Explanations: Static Analysis
Static analysis is a debugging technique that is carried out by examining the code without executing the program, and therefore is carried out before the program is compiled. The term static analysis is generally reserved for automated tools that assist programmers and developers, whereas manual inspection by humans is generally referred to as code review.
Bullets: Attack surface analysis
Identify and reduce the amount of code accessible to untrusted users.
Emphasis: inference engine
Rule-based programming is a common way of developing expert systems. The rules are based on if-then logic units and specify a set of actions to be performed for a given situation. This is one way expert systems are used to find patterns, which is called pattern matching. A mechanism, called the inference engine, automatically matches facts against patterns and determines which rules are applicable. The actions of the corresponding rules are executed when the inference engine is instructed to begin execution.
Bullets: Pre-validation
Input controls verifying data are in appropriate format and compliant with application specifications prior to submission to the application. An example of this would be form field validation, where web forms do not allow letters in a field that is expecting to receive a number (currency) value.
Bullets: Waterfall
Sequential approach that requires each phase to complete before the next one can begin. Difficult to integrate changes. Inflexible model.
Explanation Bullets: We will cover the main categories of malware in the following sections, but the main reasons that they are all increasing in numbers and potency are as follows:
- Environments are heterogeneous and increase in complexity.
- Everything is becoming a computer (phones, TVs, play stations, power grids, medical devices, etc.), and thus all are capable of being compromised.
- More people and companies are storing all of their data in some digital format.
- More people and devices are connecting through various interfaces (phone apps, Facebook, web sites, email, texting, e-commerce, etc.).
- Many accounts are configured with too much privileged (administrative or root access).
- More people who do not understand technology are using it for sensitive purposes (online banking, e-commerce, etc.).
Bullets: Security assurance requirements analysis
Identifies the assurance levels the system must provide. The activities that need to be carried out to ensure the desired level of confidence in the system are determined, which are usually specific types of tests and evaluations.
Bullets: Object linking and embedding (OLE)
Provides a way for objects to be shared on a local computer and to use COM as their foundation. It is a technology developed by Microsoft that allows embedding and linking to documents and other objects.
Bullets: Interpreters
Tools that convert code written in interpreted languages to the machine-level format for processing.
Explanation Bullets: The proliferation of malware has a direct relationship to the large amount of profit individuals can make without much threat of being caught. The most commonly used schemes for making money through malware are as follows:
- Spyware collects personal data for the malware developer to resell to others.
- Malware redirects web traffic so that people are pointed toward a specific product for purchase.
- Malware installs back doors on systems, and they are used as proxies to spread spam or pornographic material.
- Systems are infected with bots and are later used in distributed-denial-of-service attacks.
- Malware installs key loggers, which collect sensitive financial information for the malware author to use.
- Malware is used to carry out phishing attacks, fraudulent activities, identity theft steps, and information warfare activities.
Emphasis: stealth virus
A stealth virus hides the modifications it has made to files or boot records. This can be accomplished by monitoring system functions used to read files or sectors and forging the results. This means that when an antivirus program attempts to read an infected file or sector, the original uninfected form will be presented instead of the actual infected form. The virus can hide itself by masking the size of the file it is hidden in or actually move itself temporarily to another location while an antivirus program is carrying out its scanning process.
Bullets: Unicode encoding
Unicode is an industry-standard mechanism developed to represent the entire range of over 100,000 textual characters in the world as a standard coding format. Web servers support Unicode to support different character sets (for different languages), and, at one time, many web server software applications supported it by default. So, even if we told our systems to not allow the “../” directory traversal request mentioned earlier, an attacker using Unicode could effectively make the same directory traversal request without using “/” but with any of the Unicode representations of that character (three exist: %c1%1c, %c0%9v, and %c0%af). That request may slip through unnoticed and be processed.
Explanations: Operations/Maintenance
The system was secure when we installed it. I am sure nothing has changed since then.
Bullets: Java Database Connectivity (JDBC)
An API that allows a Java application to communicate with a database. The application can bridge through ODBC or directly to the database. The following are some characteristics of JDBC:
Bullets: P2
Moderate Privacy Risk: The sole behavior that affects privacy in the feature, product, or service is a one-time, user-initiated anonymous data transfer (e.g., the user clicks on a link and goes out to a web site).
Explanations: Data Structures
A data structure is a representation of the logical relationship between elements of data. It dictates the degree of association among elements, methods of access, processing alternatives, and the organization of data elements.
Bullets: Post-validation
Ensuring an application’s output is consistent with expectations (that is, within predetermined constraints of reasonableness).
Emphasis: Rapid Application Development (RAD)
The Rapid Application Development (RAD) model relies more on the use of rapid prototyping instead of extensive upfront planning. In this model, the planning of how to improve the software is interleaved with the processes of developing the software, which allows for software to be developed quickly. The delivery of a workable piece of software can take place in less than half the time compared to other development models. The RAD model combines the use of prototyping and iterative development procedures with the goal of accelerating the software development process. The development process begins with creating data models and business process models to help define what the end-result software needs to accomplish. Through the use of prototyping, these data and process models are refined. These models provide input to allow for the improvement of the prototype, and the testing and evaluation of the prototype allow for the improvement of the data and process models. The goal of these steps is to combine business requirements and technical design statements, which provide the direction in the software development project.
Explanations: SDLC and Security
The main phases of a software development life cycle are shown here with some specific security tasks:
Bullets: Two-phase commit
A mechanism that is another control used in databases to ensure the integrity of the data held within the database.
Emphasis: Release/Maintenance Phase
Release/Maintenance PhaseOnce the software code is developed and properly tested, it is released so that it can be implemented within the intended production environment. The software development team’s role is not finished at this point. Newly discovered problems and vulnerabilities are commonly identified. For example, if a company developed a customized application for a specific customer, the customer could run into unforeseen issues when rolling out the product within their various networked environments. Interoperability issues might come to the surface, or some configurations may break critical functionality. The developers would need to make the necessary changes to the code, retest the code, and re-release the code.
Emphasis: DOM (Document Object Model)
• DOM (Document Object Model)–based XSS vulnerabilities are also referred to as local cross-site scripting. DOM is the standard structure layout to represent HTML and XML documents in the browser. In such attacks the document components such as form fields and cookies can be referenced through JavaScript. The attacker uses the DOM environment to modify the original client-side JavaScript. This causes the victim’s browser to execute the resulting abusive JavaScript code.
Emphasis: Administrative Interfaces
Administrative InterfacesEveryone wants to work from the coffee shop or at home in their pajamas. Webmasters and web developers are particularly fond of this concept. Although some systems mandate that administration be carried out from a local terminal, in most cases, there is an interface to administer the systems remotely, even over the Web. While this may be convenient to the webmaster, it also provides an entry point into the system for an unauthorized user.
Emphasis: logic bomb
A logic bomb executes a program, or string of code, when a certain set of conditions are met. For example, a network administrator may install and configure a logic bomb that is programmed to delete the company’s whole database if he is terminated.
Bullets: Compilers
Tools that convert high-level language statements into the necessary machine-level format (.exe, .dll, etc.) for specific processors to understand.
Bullets: Data modeling
Considers data independently of the way the data are processed and of the components that process the data. A process used to define and analyze data requirements needed to support the business processes.
Bullets: Acceptance testing
Ensuring that the code meets customer requirements.
Bullets: Fuzzing
A technique used to discover flaws and vulnerabilities in software.
Bullets: Rapid Application Development
Combines prototyping and iterative development procedures with the goal of accelerating the software development process.
Bullets: Validation
Determines if the product provides the necessary solution for the intended real-world problem.
Bullets: Functional model
Outlines the tasks and functions the application needs to carry out
Explanation Bullets: 10. D. The following are correct characteristics of the ACID test:
- Atomicity Divides transactions into units of work and ensures that all modifications take effect or none take effect. Either the changes are committed or the database is rolled back.
- Consistency A transaction must follow the integrity policy developed for that particular database and ensure all data are consistent in the different databases.
- Isolation Transactions execute in isolation until completed without interacting with other transactions. The results of the modification are not available until the transaction is completed.
- Durability Once the transaction is verified as accurate on all systems, it is committed and the databases cannot be rolled back.
Explanations: Logic Bombs
A logic bomb executes a program, or string of code, when a certain set of conditions are met. For example, a network administrator may install and configure a logic bomb that is programmed to delete the company’s whole database if he is terminated.
Emphasis: Persistent XSS
• Persistent XSS vulnerabilities, also known as stored or second order vulnerabilities, are generally targeted at web sites that allow users to input data which are stored in a database or any other such location, e.g., forums, message boards, guest books, etc. The attacker posts some text that contains some malicious JavaScript, and when other users later view the posts, their browsers render the page and execute the attackers JavaScript.
Bullets: P1
High Privacy Risk: The feature, product, or service stores or transfers Personally Identifiable Information (PII); monitors the user with an ongoing transfer of anonymous data; changes settings or file type associations; or installs software.
Emphasis: operational prototypes
The operational prototypes are an extension of the evolutionary prototype method. Both models (operational and evolutionary) improve the quality of the prototype as more data are gathered, but the operational prototype is designed to be implemented within a production environment as it is being tweaked. The operational prototype is updated as customer feedback is gathered, and the changes to the software happen within the working site.
Emphasis: Project Management
Project ManagementMany developers know that good project management keeps the project moving in the right direction, allocates the necessary resources, provides the necessary leadership, and plans for the worst yet hopes for the best. Project management processes should be put into place to make sure the software development project executes each life-cycle phase properly. Project management is an important part of product development, and security management is an important part of project management.
Explanation Bullets: Each object should have specifications it should adhere to. This discipline provides cleaner programming and reduces programming errors and omissions. The following list is an example of what should be developed for each object:
- Object name
- Attribute descriptions
- Attribute name
- Attribute content
- Attribute data type
- External input to object
- External output from object
- Operation descriptions
- Operation name
- Operation interface description
- Operation processing description
- Performance issues
- Restrictions and limitations
- Instance connections
- Message connections
Bullets: Server side includes (SSI)
An interpreted server-side scripting language used almost exclusively for web-based communication. It is commonly used to include the contents of one or more files into a web page on a web server. Allows web developers to reuse content by inserting the same content into multiple web documents.
Bullets: Bots
Software applications that run automated tasks over the Internet, which perform tasks that are both simple and structurally repetitive. Malicious use of bots is the coordination and operation of an automated attack by a botnet (centrally controlled collection of bots).
Explanations: Malicious Software (Malware)
Several types of malicious code or malware exist, such as viruses, worms, Trojan horses, and logic bombs. They usually are dormant until activated by an event the user or system initiates. They can be spread by email, sharing media, sharing documents and programs, or downloading things from the Internet, or they can be purposely inserted by an attacker.
Bullets: High-level languages
Otherwise known as third-generation programming languages, due to their refined programming structures, using abstract statements.
Bullets: Incremental
Multiple development cycles are carried out on a piece of software throughout its development stages. Each phase provides a usable version of software.
Emphasis: Testing/Validation Phase
Testing/Validation PhaseFormal and informal testing should begin as soon as possible. Unit testing can start very early in development. After a programmer develops a component, or unit of code, it is tested with several different input values and in many different situations. The goal of this type of testing is to isolate each part of the software and show that the individual parts are correct. Unit testing usually continues throughout the development phase. A totally different group of people should carry out the formal testing. This is an example of separation of duties. A programmer should not develop, test, and release software. The more eyes that see the code, the greater the chance that flaws will be found before the product is released.
Explanation Bullets: 14. A. The software development models and their definitions are as follows:
- Joint Analysis Development (JAD) A method that uses a team approach in application development in a workshop-oriented environment.
- Rapid Application Development (RAD) A method of determining user requirements and developing systems quickly to satisfy immediate needs.
- Reuse Model A model that approaches software development by using progressively developed models. Reusable programs are evolved by gradually modifying pre-existing prototypes to customer specifications. Since the Reuse model does not require programs to be built from scratch, it drastically reduces both development cost and time.
- Cleanroom An approach that attempts to prevent errors or mistakes by following structured and formal methods of developing and testing. This approach is used for high-quality and critical applications that will be put through a strict certification process.
Emphasis: artificial neural network (ANN)
An artificial neural network (ANN) is a mathematical or computational model based on the neural structure of the brain. Computers perform activities like calculating large numbers, keeping large ledgers, and performing complex mathematical functions, but they cannot recognize patterns or learn from experience as the brain can. ANNs contain many units that stimulate neurons, each with a small amount of memory. The units work on data that are input through their many connections. Via training rules, the systems are able to learn from examples and have the capability to generalize.
Emphasis: high coupling
An example of low coupling would be one module passing a variable value to another module. As an example of high coupling, Module A would pass a value to Module B, another value to Module C, and yet another value to Module D. Module A cannot complete its tasks until Modules B, C, and D complete their tasks and return results back to Module A.
Bullets: Software as a Service (SAAS)
A software delivery model that allows applications and data to be centrally hosted and accessed by thin clients, commonly web browsers. A common delivery method of cloud computing.
Bullets: Machine language
A set of instructions in binary format that the computer’s processor can understand and work with directly.
Bullets: Behavior blocking
Allowing the suspicious code to execute within the operating system and watches its interactions with the operating system, looking for suspicious activities.
Bullets: Initial
Development process is ad hoc or even chaotic. The company does not use effective management procedures and plans. There is no assurance of consistency, and quality is unpredictable.
Bullets: Immunizer
Attaches code to the file or application, which would fool a virus into “thinking” it was already infected.
Emphasis: Relational Database Components
Relational Database ComponentsLike all software, databases are built with programming languages. Most database languages include a data definition language (DDL), which defines the schema; a data manipulation language (DML), which examines data and defines how the data can be manipulated within the database; a data control language (DCL), which defines the internal organization of the database; and an ad hoc query language (QL), which defines queries that enable users to access the data within the database.
Bullets: Eradication
Removes itself after the payload has been executed
Bullets: Noise and perturbation
A technique of inserting bogus information in the hopes of misdirecting an attacker or confusing the matter enough that the actual attack will not be fruitful.
Bullets: System development life cycle (SDLC)
A methodical approach to standardize requirements discovery, design, development, testing, and implementation in every phase of a system. It is made up of the following phases: initiation, acquisition/development, implementation, operation/maintenance, and disposal.
Emphasis: Session Management
Session ManagementAs highlighted earlier, managing several thousand different clients connecting to a web-based application is a challenge. The aspect of session management requires consideration before delivering applications via the Web. Commonly, the most used method of managing client sessions is by assigning unique session IDs to every connection. A session ID is a value sent by the client to the server with every request that uniquely identifies the client to the server or application. In the event that an attacker was able to acquire or even guess an authenticated client’s session ID and render it to the server as its own session ID, the server would be fooled and the attacker would have access to the session.
Bullets: Foreign key
An attribute of one table that is related to the primary key of another table.
Bullets: Service-oriented architecture (SOA)
Provides standardized access to the most needed services to many different applications at one time. Service interactions are self-contained and loosely coupled, so that each interaction is independent of any other interaction.
Emphasis: Database Management Software
Database Management SoftwareA database is a collection of data stored in a meaningful way that enables multiple users and applications to access, view, and modify data as needed. Databases are managed with software that provides these types of capabilities. It also enforces access control restrictions, provides data integrity and redundancy, and sets up different procedures for data manipulation. This software is referred to as a database management system (DBMS) and is usually controlled by a database administrator. Databases not only store data, but may also process data and represent them in a more usable and logical form. DBMSs interface with programs, users, and data within the database. They help us store, organize, and retrieve information effectively and efficiently.
Bullets: Inference engine
A computer program that tries to derive answers from a knowledge base. It is the “brain” that expert systems use to reason about the data in the knowledge base for the ultimate purpose of formulating new conclusions.
Bullets: Cross-site scripting (XSS)
An attack where a vulnerability is found on a web site that allows an attacker to inject malicious code into a web application.
Emphasis: COM and DCOM
COM and DCOMComponent Object Model (COM) is a model that allows for interprocess communication within one application or between applications on the same computer system. The model was created by Microsoft and outlines standardized APIs, component naming schemes, and communication standards. So if I am a developer and I want my application to be able to interact with the Windows operating system and the different applications developed for this platform, I will follow the COM outlined standards.
Bullets: Primary key
Columns that make each row unique. (Every row of a table must include a primary key.)
Emphasis: Environment versus Application
Environment versus ApplicationSoftware controls can be implemented by the operating system or by the application—and usually a combination of both is used. Each has its strengths and weaknesses, but if they are all understood and programmed to work in a concerted effort, then many different scenarios and types of compromises can be thwarted. One downside to relying mainly on operating system controls is that although they can control a subject’s access to different objects and restrict the actions of that subject within the system, they do not necessarily restrict the subject’s actions within an application. If an application has a security vulnerability within its own programming code, it is hard for the operating system to predict and control this vulnerability. An operating system is a broad environment for many applications to work within. It is unfair to expect the operating system to understand all the nuances of different programs and their internal mechanisms.
Bullets: Worms
These are different from viruses in that they can reproduce on their own without a host application and are self-contained programs.
Bullets: Atomicity
Divides transactions into units of work and ensures that all modifications take effect or none takes effect. Either the changes are committed or the database is rolled back.
Explanations: Acquisition/Development
Before the system is actually developed or purchased, several things should take place to ensure the end result meets the company’s true needs. Some of the activities are as follows:
Explanations: Development Phase
This is the phase where the programmers become deeply involved. The software design that was created in the previous phase is broken down into defined deliverables, and programmers develop code to meet the deliverable requirements.
Emphasis: Script viruses
Script viruses have been quite popular and damaging over the last several years. Scripts are files that are executed by an interpreter—for example, Microsoft Windows Script Host, which interprets different types of scripting languages. Web sites have become more dynamic and interactive through the use of script files written in Visual Basic (VBScript) and Java (Jscript) as well as other scripting languages that are embedded in HTML. When a web page that has these scripts embedded is requested by a web browser, these embedded scripts are executed, and if they are malicious, then everything just blows up. Okay, this a tad overdramatic. The virus will carry out the payload (instructions) that the virus writer has integrated into the script, whether it is sending out copies of itself to everyone in your contact list or deleting critical files. Scripts are just another infection vector used by malware writers to carry out their evil ways.
Emphasis: only
Client-side validation is when the input validation is done at the client before it is even sent back to the server to process. If you’ve missed a field in a web form and before clicking Submit, you immediately receive a message informing you that you’ve forgotten to fill in one of the fields, you’ve experienced client-side validation. This is a good idea, rather than sending incomplete requests to the server and the server having to send back an error message to the user. The problem arises when the client-side validation is the only validation that takes place. In this situation, the server trusts that the client has done its job correctly and processes the input as if it is valid. In normal situations, accepting this input would be fine, but when an attacker can intercept the traffic between the client and server and modify it or just directly make illegitimate requests to the server without using a client, a compromise is more likely.
Emphasis: Spyware
Spyware is a type of malware that is covertly installed on a target computer to gather sensitive information about a victim. The gathered data may be used for malicious activities, e.g., identity theft, spamming fraud, etc. Spyware can also gather information about a victim’s online browsing habits, which are then often used by spammers to send targeted advertisements. It can also be used by an attacker to direct a victim’s computer to perform tasks such as installing software, changing system settings, transfer browsing history, logging key strokes, taking screenshots, etc.
Bullets: Path or directory traversal
This attack is also known as the “dot dot slash” because it is perpetrated by inserting the characters “../” several times into a URL to back up or traverse into directories that weren’t supposed to be accessible from the Web. The command “../” at the command prompt tells the system to back up to the previous directory (i.e., “cd ../”). If a web server’s default directory is c:\inetpub\www, a URL requesting http://www.website.com/scripts/../../../../../windows/system32/cmd.exe?/c+dir+c:\ would issue the command to back up several directories to ensure it has gone all the way to the root of the drive and then make the request to change to the operating system directory (windows\ system32) and run the cmd.exe listing the contents of the C: drive. Access to the command shell allows extensive access for the attacker.
Emphasis: ActiveX Controls
ActiveX ControlsActiveX is a Microsoft technology composed of a set of OOP technologies and tools based on COM and DCOM. A programmer uses these tools to create ActiveX controls, which are self-sufficient programs similar to Java applets. ActiveX controls can be reused by many applications within one system or different systems within an environment. These controls can be downloaded from web sites to add extra functionality (as in providing animations for web pages), but they are also components of Windows operating systems themselves (dynamic link libraries [DLLs]) and carry out common operating system tasks.
Bullets: Trigger
Uses an event to initiate its payload execution
Bullets: Cleanroom
An approach that attempts to prevent errors or mistakes by following structured and formal methods of developing and testing. This approach is used for high-quality and critical applications that will be put through a strict certification process.
