Chapter 3 - Secure Software Design Flashcards
What causes the majority of software security issues?
Insecure or incomplete design.
What methods can be used for attack surface evaluation?
Threat models and misuse case modeling
What are the benefits to designing security into software?
- Resiliency and recoverability
- Quality, maintainability, less prone to errors
- Minimal redesign and consistency
- Addressed business logic flaws
What is a business logic flaw?
A flaw where the software is operating as designed, but the design itself makes circumventing the security policy possible.
What is the difference between a flaw and a bug?
Flaws are design or architectural defects. Coding or implementation constructs that can cause a breach in security are bugs.
What is a semantic issue?
A logic flaw.
What are the core security elements?
Confidentiality, Integrity, Availability, Authentication, Authorization, and Auditing.
What are the types of cryptography?
Covert and Overt
What are the types of covert cryptography?
Steganography and digital watermarking
What are the types of overt cryptography?
Hashing and encryption
What are the types of encryption?
Symmetric and asymmetric
What is “work factor”?
In cryptanalysis, the amount of work required to defeat an algorithm.
What is the only provably unbreakable encryption?
The one time pad
Describe symmetric encryption
It’s characterized by using a single key for encryption and decryption that must be shared between the sender and receiver.
What is the benefit to symmetric key encrryption?
It’s fast and efficient.
What are the challenges to symmetric key encryption?
- Key exchange and management require a secure, out-of-band mechanism.
- Scalability. Need a unique key for each pair of sender/recipient
- No nonrepudiation
What kind of algorithm is RC-2?
Symmetric
What kind of algorithm is RC-4?
Symmetric
What kind of algorithm is RC-5?
Symmetric
What is the key size of DES?
56 bits
What is the key size of skipjack?
80 bits
What is the key size of IDEA?
128 bits
What is the key size of blowfish
128 bits
What is the key size of 3DES?
168 bits
What is the key size of twofish?
256 bits
What is the key size of RC6?
256 bits
What is the key size of AES/Rijndael?
256 bits
What other term is used for nonrepudiation protection?
Proof-of-origin protection
What advantages does public key crypto have?
- Key exhange is easier.
- Scalability. Each user only needs 2 keys (public/private)
- Addresses nonrepudiation
What is the disadvantage of public key crypto?
It’s computationally intensive, so slower.
List common public key crypto algorithms.
RSA
El Gamal
Diffie-Hellman
Elliptic Curve Cryptosystem
What is Elliptic Curve Cryptosystem ideal for?
Small hardware devices such as smart cards and mobile devices.
What does a digital certificate include?
Public keys, algorithm information, owner and subject data, digital signature of the CA, and a validity date range.
What are the types of digital certificates.
Personal
Server
Software publisher
What hsould you use when copyright and IP protection are an issue?
Digital watermarking
What should you use if data confidentiality in processing, transit, storage, and archiving need to be assured?
Hashing or encryption.
What features can be used to assure integirty?
Hashing
Referential integrity
Resource locking
Code signing
What is a message digest (according to the book)?
The original message and its hash value.
What is collision free or collision resistance?
A property of hash functions where it is computationally infeasible to find two inputs that hash to the same value.
What does salting a hash do (according to the book)?
Improve collision resistance
What is a dictionary attack?
A brute force attack that attempts to thward security mechanisms using an exhaustive list.
What are common hash functions?
MD2, MD4, MD5, SHA-[012].
Describe hte MD series of hash functions.
All use a 128 bit output.
Proven not to be collision resistant.
Describe the SHA family of hash functions.
SHA-[01] uses a 160 bit output. SHA-224 generates 256 bit output SHA-256 generates 256 bit output SHA-384 generates 512 bit output SHA-512 generates 512 bit output.
I think those are wrong.
Describe HAVAL.
HAVAL is a hash function with variable length output (128, 160, 192, 224, 256)
Which hash function is considered broken and no longer suitable for use?
MD5
What is referential integrity?
Ensuring that data is not left in an orphaned state.
What are cascading deletes?
A process that ensures referential integrity by deleting data from other tables when data is deleted in a table that references them if they share a common key.
What is resource locking?
Disallowing concurrent operations on an object.
What is deadlock?
A condition that can result from improper resource locking where multiple threads are all waiting for each other to release the object.
What is connection pooling?
A database access efficiency methanism where a number of connections are cached for reuse.
What factors should be considered in authentication design?
SSO and multifactor authentication, as well as the type of authentication required as specified int he requirements docs.
Why can SSO have a large security impact?
Because credentials are only verified once.
What should you consider in Authorization design?
Impact on performance, separation of duties, least privilege
What should auditing data include?
Who, What, Where, When
What is modular programming?
a software design technique in which the entire program is broken down into smaller subunits or modules
What does it mean when a module is cohesive?
each module is designed to perform one and only one logical operation.
What is the Single Responsibility Principle?
A software engineering principle related to modularity. EAch code unit should only do one thing and have one purpose.
What is coupling.
Coupling is a reflection of the degree of dependencies between modules, i.e., how dependent one module is to another.
How hsould modules be with respect to cohesion and coupling?
They should be highly cohesive and loosely coupled.
How hsould modules be with respect to cohesion and coupling?
They should be highly cohesive and loosely coupled.
What is separation of duties?
Compartmentalizing software funcitonality into two or more conditions, all of which must be satisfied before an operation can complete.
Split cryptographic keys, for example.
What is defense in depth?
Also called layered defense.
Using multiple layers of controls such that a single vulnerability does not result in a compromise.
What is “fail secure”?
A security principle that ensures that the software reliably functions when attacks, and is rapidly recoverable into a normal business and secure state in the event of design or implementation failure.
What does “fail secure” preserve?
Resiliency.
What is resiliency?
Confidentialy, integrity, availability
What is economy of mechanism?
A secure design principle which states that the more complex the design of the software, the more likely there are vulnerabilties.
Simpler is generally more secure.
What considerations should we keep in mind with respect to economy of mechanism?
- Avoid unnessary functionality or unneeded security mechanisms
- Strive for simplicity
- Strive for operational ease of use
What is complete mediation?
A security principle that states that access requests need to be mediated each time, every time, so that authority is not circumvented in subsequent requests.
Other hting about complete mediation:
In the design phase, identify all possible code paths that access privileged and sensitive resources. The design must require the code paths to use a single interface that performs access control checks before performing the requested operation.
What is Kerchoff’s principle?
All information about a cryptosystem except the key should be public, and the security of the cryptosystem is dependent on the secrecy of the key.
What is hardcoded credentials in source code an example of?
Security through obscurity.
What are the principles of open design?
- The security of software should not be dependent on the secrecy of the design
- Security through obscurity should be avoided
- Design of protection mechanisms should be open for scrutiny by members of the community.
What is Least Common Mechanisms?
the security principle by which mechanisms common to more than one user or process are designed not to be shared.
What is psychological acceptability?
the security principle that states that security mechanisms should be designed to maximize usage, adoption, and automatic application.
What features should security controls have to promote psychological acceptability?
- Be easy to use
- Do not affect accessibility
- Be transparent to the user
What are the benefits of using tested and proven existing libraries and common components?
- The attack surface is not increased (you’re already using the code)
- No new vulnerabilities are introduced
- Can also increase productivity
What is unmanaged code?
Code that:
- isn’t managed by any runtime environment
- is compiled to native code that will execute only on the processor architecture it’s compiled for
- memory allocation is not managed. Pointers can be manipulated
- Requires developers to write routines to check memory allocation, array bounds, etc.
What is managed code?
Code that has the following characteristics:
- Is not directly executed by the OS, but is managed by a run-time environment
- Is not compiled into native code, but into an Intermediate Language (IL)
- Not generally susceptible to buffer overflows, format string vulnerabilties
- Relatively shorter development time because memory management, exception handleing, bounds checking, garbage collection, and type safety checking are automatically handled by the runtime environment.
What is an inference attack?
gleaning sensitive information about the database from presumably hidden and trivial pieces of information using data mining techniques without directly accessing the database
What is an aggregation attack?
An attack where information at different, security classification levels, which are primarily nonsensitive in isolation, end up becoming sensitive information when pieced together as a whole.
What is polyinstantiation?
Polyinstantiation means that there exist several instances (or versions) of the database information, so that what is viewed by a user is dependent on the security clearance or classification level attributes of the requesting user.
What are the two ways to accompliah database encryption?
- Native DBMS encryption
* Cryptographic resources outside the database.
What is TDE?
Transparent Database Encryption. Cryptographic operations on a database that are transparent to the application layer. Can have substantial performance impact.
What is the primary weakness to using native DBMS encryption?
The key is stored in the database.
What is normalization?
A formal technique to organize data so that redundancy and inconsistency are eliminated.
What is first normal form?
No Repeating Groups or fields in a table, e.g. fields with multiple values.
What is second normal form?
No duplicates / eliminate redundant data
Also informally “eliminate non key-dependent duplicate data” rule.
What is third normal form?
Data not dependent on the primary key of the table must be elminiated and stored in its own table.
What is the drawback to database normalization?
Performance degradation
What is denormalization?
Decreasing the normal form of a database deliberately, usually for performance reasons.
What is a trigger?
A special type of procedure that is automatically executed upon the occurrence of certain conditions within the database.
What is a database view?
a customized presentation of data that may be held in one or more physical tables (base tables) or another view itself.
A virtual table.
What is DML?
Database Manipulation Language (INSERT, UPDATE, DELETE, etc).
What is a SMI?
A Security Management Interface
An interface used to manage the security of the software itself. Administrative. HIgh level of privilege.
Why is it important to secure SMIs?
They typically run at high privilege levels.
What controls should be used for SMIs?
- Avoid remote connectivity and administration
- Employ data protection in transit, using channel security protection measures (SSL, IPSec)
- Use least privilege accounts and RBAC
What design processes need to be completed for secure software?
- Attack surface evalution
- threat modelng
- control identification and prioritization
- documentation
What is attack surface evaluation?
A software or application’s attack surface is the measure of its exposure of being exploited by a threat agent, i.e., weaknesses in its entry and exit points that a malicious attacker can exploit to his or her advantage.
What is RASQ
Relative Attack Surface Quotient
What is attack bias?
A value, based on its severity, for attack points in attack surface evaluation.
