Chapter 6 Secure Coding Flashcards
Software Development Phases
- Feasibility - should the effort be conducted?
- Analysis and requirements definition - what is the desired functionality?
- Design
- Development - actual coding of application, may include unit testing
- Testing and Integration Phase - formal testing, user acceptance test (UAT)
- Training and Transition Phase - acceptance, installation and deployment
- Ongoing Operations and Maintenance - patching, updates, modification
- Disposition/End-of-life
Code Deployment Environments
Development - where developers actually work
Testing - testing without impact on production environment, pre production and quality assurance
Staging - transition for code that tested successfully and is waiting to deploy
Production - live system
Waterfall (software development model)
Sequential software development, phases to NOT overlap, logically lead to next phase
relatively inflexible, still in use for complex systems
recommended for fixed scope, known timeframe or for stable tech platforms
Spiral (software development model)
Linear software development model, but with iterative process that revisits 4 phases for expansion significant emphasis on risk assessment 1. Identification 2. Design 3. Build 4 Evaluate
- round 2 requirements
- update design
- second build
- test and reassess risks
Agile (software development model)
Iterative and incremental process rather than linear, Agile focuses on creating working software that is flexible and adaptable rather than hard and fast rules with comprehensive documents and contracts.
- Individuals and interactions are more important than processes and tools
- working software is preferable to comprehensive documents
- customer collaboration replaces contract negotiation
- responding to change is key rather than following a plan
Continuous Integration v. Continuous Deployment
Cont. Integration is a developmental practice that checks code into a shared repository on a consistent ongoing basis
Cont. Deployment rolls out changes into production automatically as soon as they’ve been tested
OWASP secure coding practices
- define security requirements
- leverage security frameworks/libraries
- secure database access
- encode and escape data
- validate all inputs
- implement digital identity
- enforce access control lists
- protect data everywhere
- implement security logging and monitoring
- handle all errors and exceptions
API security
Application Programming Interfaces are interfaces between clients and servers or apps and OS that define how the client should ask for information from the server and how the server should respond.
- useful but must be secured
- programs in any language can implement API
Code review
Pair Programming - agile technique where one developer writes while one reviews as they write it. Adds cost and quality.
Over the Shoulder - requires the developer who wrote the code to explain it to the other developer.
Pass around Code Reviews - flexible but peers can’t learn about code from the developer
Tool Assisted Code Review - software based code review Atlassians Crucible, Codacy’s static code review, Phabricators Differential Code Review
Formal Code Review is in depth an time consuming, Fagan Inspection is the formal code review product
Manual code review is the process of reading the source code line by line to identify potential vulnerabilities
Static Code Analysis
Static Code Analysis can be seen as white box testing where testers have full visibility, focuses on understanding how the program is written and what its intended to do.
Dynamic Code Analysis runs the code while providing input to test the software
What is Fuzzing
Fuzz testing sends invalid or random data to an application to test its ability to handle unexpected data.
- This only identifies simple problems
Injection Vulnerabilities
Injection allows attackers to supply code to a web application and trick the web server into either executing the code or passing it to another server
Allows an attacker to relay malicious code through a web app to the supporting OS or other system
SQL injection
modifying SQL requests attackers provide input into web app, then monitor for the result.
-Blind SQL injection is when an attacker cannot review the results.
best defense is to validate data
Blind Content Based v. Blind Timing Based SQL injections
Blind Content Based - attacker sends input to the web app that tests whether the app is interpreting injected code before attempting an attack.
Blind Timing Based - attackers use the amount of time required to process a query as an attack vector. sometimes programmers insert a delay before the next action. If an attacker probes such a system and it returns immediately, its probably not vulnerable.
SQLmap and Metasploit automate blind timing based attacks
LDAP and DLL
DLL is a windows library containing code and data.
Command Injection
In some cases, app code may reach back to the OS to execute a command. This is especially dangerous because attackers can exploit a flaw in the app and gain direct access to the OS.
Session Hijacking
This occurs when an attacker commandeers an existing authenticated session. Usually done using cookies.
Session Replay Attack
Replay attacks are network attacks that repeat or delay a valid data transmission. A hacker can steal the users Unique Session ID stored as a cookie, URL or form field and gain authorization.
How to protect against cookie theft?
secure cookies, which are never transmitted over unencrypted HTTP connections.
what is a NTLM Pass the hash attack?
Replay attack against the OS rather than an app. the attacker begins by gaining access to windows system then harvest stored NTLM password hashes
What is insecure direct object reference?
Sometimes apps pull data directly from database. if the app doesn’t validate checks, this attack can occur.
Remember link with student ID on the end of the URL, the user can change the student ID and see data.
What is directory traversal?
type of HTTP exploit used to gain access to restricted directories or files
/../../etc/psswrd
What is file inclusion?
File inclusion takes directory traversal to the next level, instead of simply retrieving a file from the local OS, file inclusion attacks actually execute the code within a file allowing the attacker to fool the web server into executing arbitrary code.
What is privilege escalation?
Shifting from initial access to more advanced privileges such as root access.
Privilege escalation specifically seeks to increase the level of access an attacker has to a target system
What is API
Application programming interface is a set of definitions and protocols for building and integrating application software, it specifies how the client and server will communicate.
What is cross site scripting?
Type of injection where malicious scripts are injected into otherwise trusted websites. XSS occurs when attackers use a web app to send malicious code to the end user, whose browser has no way to know the script should not be trusted. The script can then access any cookies or session tokens retained within the browser.
This can occur anywhere a webapp uses input from the user in the output without validating or encoding it
Reflected (non-persistent) XSS vs. Stored (persistent) XSS
Reflected XSS occurs when apps allow reflected inut (hello, [name])
Stored XSS include forum posts or social media with links posted that contain a payload. There is no specific target.
DOM based XSS hides code in Document Object model, which is not visible when viewing the HTML source.
what is XSRF attack?
similar to XSS but exploits trust relationships. XSS exploits trust users have in a website, while XSRF exploits the trust remote sites have in the users system.
Attackers may leave a link in a forum. when the user clicks the link while logged into their bank, a wire transfer from the user to the attacker succeeds. hence cross site.
How to prevent XSRF?
use secure tokens and check referring URL only accept own site requests
SSRF
Server side request forgery
instead of tricking the users browser into visiting a URL (XSRF), they trick the server into visiting a URL based on user supplied input.
This is possible when web apps accept URLs from user as input then retrieves info from that URL
Wayback Machine is an example, remember wayback machine SSRF
Input Validation
White listing - developers describe the exact type of input expected from the user then verifies that the input matches
Black listing - developers try to describe potentially malicious inputs that must be blocked
MUST ensure validation on the server side rather than on the clients browser
Parameter pollution can defeat validation
Parameter Pollution
sends web app more than one value for same input
php?account12345&account12345’ OR 1=1;–
Web App Firewalls WAF
always have input validation as primary defense against injection attacks
WAFs function similarly to network firewalls but they work at the application layer
WAFs sit in front of a web server and receives all network traffic headed to that server
What is the primary defense against injection attacks?
Input Validation
Database Normalization
this is a set of design principles database designers should follow
- prevent data inconsistency
- prevent update anomalies
- reduce need for restructuring existing databases
- make the database schema more information
What is the purpose of parameterized queries?
to protect applications against injection attacks, also improves database performance
Data obfuscation and camouflage techniques
Data minimization - don’t collect/keep unnecessary data
Tokenization - replacing sensitive data with a nonsensitive number that represents that data, and can be used in a database to bring the sensitive data up. Must keep the look up table secure!
Masking - replace personal identifiers with asterisks.
Hashing - uses cryptographic hash to replace sensitive identifiers with irreversible alternative identifier.
Salting - adding random characters to the end of an input before it is hashed. this prevents rainbow table attacks.
What is a Software Development Kit?
a collection of software libraries combined with documentation and examples of other resources to help programmers get things going quickly
Dead code, code reuse, code repository
Dead code - code in use that nobody is maintaining or responsible for, unknown source code file location
Code reuse - instead of writing code for mundane tasks, developers can locate libraries that contain relevant functions
Code repository - centralized locations for storage/management of application source code
What is code signing?
Provides developers a way to confirm the authenticity of their code, it is a cryptographic function to digitally sign code with the developers own private key.
What are benefits to Software Diversity?
helps avoid single points of failure
minimizes attack surface as well as potential damage
alternative compiler results in different binary each time
Scalability and Elasticity
Scalability is the ability to increase workload of a given infrastructure,
Elasticity is the ability to increase/decrease available resources as workload changes
Code Integrity Measurement
uses cryptographic hash functions to verify that the code being released into production matches the code that was previously approved
What is the purpose for source code comments?
To document changes, explain workflows, offer details to anyone who has to modify or troubleshoot source code
Can also provide attackers with a roadmap of how code works
Ensure comments remain private
Resource exhaustion
When systems consume all available memory, storage, processing, time that is available, which cripples the system
Pointer dereferencing - pointers store an address of another location in memory. if pointer is empty, null value can crash the system or allow bypass of security controls
Buffer overflow
attacker manipulates a program into placing more data into an area of memory than is allocated for that programs use
the goal is to overwrite other information with instructions that may be executed by a different process on the system
Race Conditions
when the security of a code segment depends on the sequence of events occurring within the system. Time of Check to Time of Use (TOCTOU) is a race condition that occurs when a program checks access permission too far in advance of a resource request.
Driver Manipulation - what is shimming vs refactoring?
shimming is wrapping malicious driver outside the legitimate driver (without access to driver source code)
Refactoring is done when attacker has access to the driver source code, and modifies it to include malware.
Device drivers use code signing. Drivers without code signing are likely to be flagged as suspicious by the OS.
