Chapter 8: Software Development Security Flashcards
Abstraction
Information Hiding - focus on big picture….
aggregation
pulling bits of different data together then make an assumption via inference…
Agile Model
most common
very flexible in nature
requirements to change throughout. good for when projects requirements change a lot.
Pros:
- fewer defects
- greater flexibility
- immediate feedback
cons:
- Less Documentaion
- Less focus on system design.
Atomicity
A transaction is fully complete or it is rolled back All or Nuthin looking for the “commit message”
Attributes - Object Oriented Technology
Descriptors for each class
auditing
create audit policy to track actions to a subject.
audits can be use to :
- ensure policies are being followed/are effective
- marke sure hat individual user accounts aren’t unntentinoally being allowed to accumulate rights/permissions.
- check the accuracty and completeness of transactions that are authorized
- privileged actions are restriced to authorized personnnel.
Backdoor
Usually created by software developers for an emergency entry into a system. Example may be a hotkey in the event that a password is not available for access. Obviously can be used by anyone with such knowledge to gain access into the system. A trapdoor is rather created via malicious activity.
brocken auth & session mgmt
applications fuctions related to authentication and session managment are often no implemented correctly.
Capability Maturity Model Integrated - CMMI
from carnegie mellon an organization’s project management’s process can be ranked on their maturity and can be ranked 5 levels. 5 best most orgs want a level3 “i really don’t mind oranges” 5 levels: Initial-caotic and heroic effort Repeatable- trying to get processes going…time, scop Defined: Project management office Managed- good understanding of process and product Optimized - associated with Kiazen, CPI continue process improvent.
Cardinality
the number of rows in a relation one to many (such as customer to orders made)
CGI
common gateway interface
does the input validation.
Classes - Object Oriented Technology
Defines attributes, characteristics, and behaviors
Code Injection
Looking at language of database and issuing commands.
Entering malicous code into webforms. no brackets, drop-table..input validation
make sure no data control language entered.
data type… only specific data
drop downs etc…
Cohesion
Singleness of purpose - you want HIGH cohesion both have H’s :)
Consitencey
Enforce any rules that are system defined or Administrator define
Coupling
the dependency between modules - sharing same code for other apps. LOOSE coupling both have L’s in them
CSRF
Cros site request forgery
takes advantage of a webite’s trust in a user
two sessions going on across user’s computer.
Data Marts
Often regional collection of info from database
Data Mining
process of pulling info from data warehouse by utilizing meta-data. police mining info about perps…
Data Warehouse
collection of information from data marts….think of meth..example.. law enforments pull mull all store info into warehouse
Database Design - ACID test
Atomicity Consistency Isolation Durability
DB Aggregation & Inference
a way of gathering information and coming to a conclusion based on that. code injection is only computer based
Degree
the number of columns in a relation
Distributes Databases
Client-server type of DB located on more than one server distributed in several locations Synchronization accomplished via a two-phase commit or replication methods Data accessible in a single search function despite separate location DNS Data Base Is an example
Due Diligence
is reseach
due care is action… enact policies etc…
Durability
You can’t roll back a transaction you got to start over
elite
high level database peeps…
Entity Integrity
Primary Key field can’t be null
Foreign Key
Primary key from one table appears in a secondary table
Hacker
Someone that is very good with computers…
white hat hackers - PEN testers
black hat - ill intent
grey hat - in the middle…
Hierarchical Database
Stores related info in a tree-like fashion. Info traced from major group to sub-group Predetermined access paths to data data traced through parents (hierarchy) “inverted tree”
Inference
making assumptions from the aggregated info
Inheritance - Object Oriented Technology
Objects inherit attributes and behaviors from super class
IPv6
128 bits
Hexidecimal
NAT has make lack of IP’s not as big as a deal…
ipv4 is unsecured…
using as example as talking about unsecure software… lack of security integration.. etc.
Isolation
until commit message is received the transaction is invisible
masking
blocking out sensitive information…
Messages - Object Oriented Technology
means of communication by objects
metadata
“data about data” like controlled substance purchase
Methods - Object Oriented Technology
functionality performed by objects
Monitoring the program
Consistency: results are the same data
Quantative: precise, objective, numberic values
Objectivity: unbiased
Reveleance- shoudl have a direct bearing on a desision
inexpensive: should be cost effective.
NFC
Near field communications
like the hotel key cards.
Normalization of Database
no duplicates- every table describes the primary key
Object Oriented Database
Modular and re-useable by design (probably not testable)
Objects - Object Oriented Technology
collection of attributes for a single instance
OWASP
Open web application security project
publish to 10 list of most commonly orchestrated attacks
international non-profit
Polyinstantiation
to Lie….multiple instances of an event.
Provide false info to people that don’t have clearance. bogus info at lower levels
making the information boring though lying… ;)
Polymorphism
capability of different objects to respond differently to same message
Primary Key
the unique identifier that ties all the tables together ie: customer number
Prototyping Software Approach
Pros:
feedback directly from users
client and contactor can work very closely
also allow software engineer some insight into the accuracy of initial project estimates and wether the deadlines and milestones can be met sucessfully.
cons:
clients rarely understand all teh ramifications of proposed changes.
Referential Integrity
Can reference a non-existing key
Relational Database
uses tables ie: columns and rows. A DB in the form of tables (rows & columns) related to each other Stores data in such a way that a data manipulation language can be used independently on data Uses a database engine (Oracle, Sybase, etc.)
RFID
Radio Frequecy ID like fast pass
credit cars passports…
rich internet apps
client side threats
2 of them
cross side scripting
xss - attacker takes advantage of website that doesn’t provide validation - code injection
“takes advantage of user’s trust of website”
CSRF
Cross site request forgery attack
take advantage of two session going on at two times…messaging with attacker. bof a account has been compromised….etc. help to troubleshoot problems…steal that session info..
“takes advantage of a website’s trust in a user”
Rootkits
Malicious code that is intended to take full or partial control of a system at the lowest level (core or kernel). They often hide themselves from monitoring or detection and modify system files. Most rootkit infections install back trapdoors, spyware, or other malicious codes once they gain control of the target system.
Script Kiddies
someone that has no real talent but can copy and paste borrowed code… deragatory term…
Still pose a threat… don’t understand ramifications…
Service Oriented Architechture
SOE is an architecture and a vision on how heterogeneous application should be developed and inegrated in the enterprise
share a formal contract
loosely coupled abstraction composable
reusable
autonomous
standard operating stuff…
Spiral Software Approach
combo of waterfall :stepping + circular nature of prototyping = spiral dev.
Pros:
High amount of risk analysis
good for large and mission critical projects
software is produced early in software life cycle.
Cons:
can be costly
risk analysis requires specific expertise
project’s success is highly dependent of the risk analysis phase.
not for smaller projects.
trojan horse
Malicious code that masquerades as a harmless file. It usually performs a variety of actions, including key-logging, opening the computer to further attacks, destroying data or files, among others.
Tuples
Rows…across in relational databases
virus
spreads from computer to computer via attaching itself to other file…requires user input
Waterfall Software Dev. Approach
a phased based approach
one step after another..
better for shorter lived projects.
Pros:
- each phase specific deliverables
- phases are processed and competed one at a time.
- best for small projects
- it reinfoces “define before design” and “design before code.
Cons:
- Adjusting scope during life cycle can kill a project
- no working software until late in the gem
- high risk, uncerainty
- poor model for long and ongoin projects
- poor model high probability of chance.
Why is software unsecure
lack of training
lack of funding
no priortiztion of security
security as afterthought
Worms
malicious code that spread around a network on its own. self-replicating
XSS
takes advantage of trust of a website
cross site scripting…
not good input validation…
allows attacker to exectue scrips in the victim’s browser which can hijack user’s sessions.
Insecure direct object references
defined as an authorized user or process which can invoke the internal functionality of the software by manipulating parameters and other object vales that directly refernce this functionality resulting it problems…
sensitve data exposure
owasp 6
http vs https…etc.
missing function level access control
changing parameters in url to gain access to information u should have access to.
owasp 9 known vulnerablity component usage
components such as libraries frameworks and other software modules, almost alway run with full software priveleges.
don’t use old crappy code..
owasp 10
unvalidated redirects and fowards
make sure we’re redirected in valid mannar…
Defensive coding
proactive, secure coding intended to ensure the continueing function the softwarer under unforseen cicumstances:
Examples:
Input validation
Sanitization - more generic info for example/output sanitization
error handling - non verbose
safe API’s
concurrency - use file lockimg
tokenizing- replace sensitve data with unique id’s.
sandboxing apps.
anti-tampering- code signing/obfuscation
versioning
code analysis/code review
Change Management
changes must be controlled there has to be a process.
should happen in a stuctural way.
make sure everything is documented..
whitebox/clearbox testing
test has access to all the code.
blackbox testing
Zero knowlege attack.
fuzzing
fault injection to see if anything is successful
brute force of testing ….. challenges input validation.
buffer overflow error…etc.
scanning
passive
map the enviornment
ident. server verions open ports and running services.
types:
Vulnerability scan
Content Scan
Privacy Scan - to detect privacy violations..
Database Models
- hierarchical - top down
- distributed - DNS no single server
- object oriented - re-usable and modular in nature.
- relational database - sql, oracle, table/fields..etc.
what condition is necessary on a web page for it to be used for a cross site scriptign attack
reflected-input
