Chaptet 10 - Software Security Flashcards
Initiation
The first step, the idea, the choosing a vendor vs homebrew, the project level risk assessment .. Will this work?
Software development lifecycle
Initiation Acquisition Implementation Operation/Maintenance Disposal
Certification vs accreditation
Certification is the technical testing
Accreditation is the formal authorization
Statement of work
Outlines the work necessary to work with a customer on a project
Scope creep
When the purpose of a project shifts during the processes and additional steps are added
Work breakdown structure
A project management tool used to group sets of activities logically to keep focused
Privacy risk assessment
A software risk assessment to discover vulnerabilities
Privacy impact rating
This is the level of impact per item on the privacy risk assessment, generally rated in P1 to P3
What three models of software design are there?
Informational
Functional
Behavioral
Attack surface analysis
Aims to reduce the amount of code accessible by untrusted users
Threat modeling
Model used to detect threat vectors using a threat analysis tree
Threat analysis and modeling tool
Computer aided software engineering CASE
Tools like dreamweaver and visual studio
Where can I find a list of common code vulnerabilities?
Cwe.mitre.org/top25/#Listing
Static analysis
Automated code review
Unit testing
Testing a module or chunk of code
What are the key components of a test phase?
Test needs to mirror production
Pen testing is necessary
Platform testing
Testing types
Unit testing
Integration testing
Acceptance testing
Regression testing
Fuzzing
Throwing random data at a solution to see what errors occur in order to detect vulnerabilities
Dynamic analysis
Watching the code stream and sub level messages to ensure code is running correctly
Maintenance hook
Code that is used for troubleshooting low level code and should be removed in prod
Verification vs validation
Verification determines accuracy to spec
Validation determines of the product solved the intended problem
Zero day vulnerability
Vulnerability that does not have a fix yet
Wasc
Web application security consortium is a web organization that tracks attacks on the Internet
Owasp is the open standard for this
ISO 27034
Software development guidelines
Build in security
A homeland security effort that makes guidelines for software developers
Build and fix model
Build and deploy first .. Then fix
Waterfall model
Each phase is completed in entirety and cannot be returned to until the process is completed as a whole
V-shaped model
Similar to waterfall but with testing at each stage that can fall back to previous steps
Rapid prototype
A throw away prototype meant to just see it in a action
Evolutionary vs operational prototype
A prototype that is not discarded but evolved, operational means it is put into production
Incremental model
Many small waterfalls take place with each phase
Spiral model
Slow moving security conscientious and risk centric model with evolutionary and operational prototypes in the mix
Rapid application development
Demonstrate refine build repeat
Agile model
Functional based incremental code that is assembled on the fly and driven by customer requirements
Exploratory model
Specification based development
Joint analysis development
Workshop oriented development
Reuse model
Taking other functions already made an piecing them together
Clean room development
Development that is mostly test based and meant for certification
Capability maturity model integration
A maturity model that helps companies work together in development
CMMI stages
Initial Repeatable Defined Managed Optimized
Software configuration manager
GitHub like software
Software escrow
When software is stored for individuals in a software ‘vault’
Assembly language
Uses assemblers to take ADD PUSH POP etc commands and create then into binary
High level language
C is considered a high level language and uses else if and then
Very high language
C++ is a good example of this level
Natural languages
C# is a natural language and flows logically and easily
Generation one language
Machine language
Interpreter
Used as an intermediary to run bytecode .. Java, flash, powershell, bash are interpreted languages
Garbage collection
Taking all unused memory cells and giving them back to the OS
OOP
Object based language
Method
An actionable code that modifies an object
Encapsulated code
Reusable isolated object
Data hiding
Objects can access other objects except through methods
Library
All needed objects live in one place and exist only once
OOA vs OOD structured analysis
OOA is analysis and classification OOD is design that modularizes data into objects
Data Modeling
I input 1 and expect 17 to output, lets test
Cohesion
High cohesion means that the tasks of a module are limited and of the same limited discipline making it easier to adjust
Coupling
Modules level of dependency on other modules
Data structure
A logical representation between elements of data
DCOM vs DCE
DCOM is Microsoft proprietary distributed computer system that uses GUID, DCE is open and uses universal unique IDs UUID
Common Object Request Broker Architecture
An open object-oriented uniform standard architecture
ORBs
System oriented brokers (object request broker)
COM vs DCOM
Component object model is for local machines, DCOM is distributed to network machines
.Net
A framework that has replaced COM/DCOM
OLE
Object linking and embedding enhances COM
J2EE
Java version of what COM was to Microsoft
Service Oriented Architecture (SOA)
Web based single destination for service control (automatrix)
UDDI, WSDL, and SOAP
XML based components that work within SOA
Web 2.0
An internet in which people could supply content without code, ie Facebook, YouTube, etc
Mashup
Combining common services together, this is what google did in the 90’s with search engines
SaaS
Combining software into a SOA and providing a central access
Mobile Code
Code executed on the client side
JVM
Runs ‘bytecode’ interpreter on a java virtual machine sandbox on the client end regardless of OS
ActiveX
Microsoft OOP using a COM/DCOM based sandbox
Authenticode
Microsoft version of digital signatures implemented into ActiveX
Server Side Includes
Document that dynamically stores information in a server side .inc file, this can be accessed and code can be learned from this
Information Gathering
Getting server side includes, DB passwords, error messages and other information from the public connectable code
Administrative Interfaces
Admin accessible consoles should be far more secure than the web interface that the admin console implements
Authentication and Access Control
Authentication user/pass should be different per site, secured by SSL, and a strong password and uncommon username
Input Validation
Ensures the input is within limits and cannot be used to crash or obtain critical data
Client Side Validation
Works great to reduce server errors and load, but doesnt work out securely if it is the ONLY method being used to validate
SQL Injection
Input SQL commands into input variables to execute them
Cross Site Scripting (XSS)
Cross-Site Scripting any code written that can steal cookies, hijack sessions, execute malware or exploit vulnerabilities
Parameter validation
Validation of system variables people shouldn’t have access to
Session Cookie vs Persistent Cookie
Session is in memory, persistent is saved to the machine
What is the risk of a web proxy?
Input can be changed at the proxy on session cookies
What is the danger of hidden fields?
They can still be found and modified
Adequate Parameter Validation
Pre-validation of input along with Post-validation
Session Management
Usually done with Session IDs and should be over HTTPs
Replay Attacks
Capturing requests and resubmitting them to gain access
What are the database models?
Relational - N1 N2 N3 Hierarchical - Subject to Author to Book Network - Hierarchical with a mesh Object - Created with OOP trees Object-relational - OOP front end to a Relational backend
What are some client Database Interfaces?
ODBC - Open
OLEDB - OLE
ADO - activeX
JDBC - Java
Data Definition Language
Defines structure and schema of DB
Data Dictionary
Metadata (data about data) for databases
What is the primary method of ensuring integrity in a DB?
Database Locking
Semantic vs Referential vs Entity Integrity Check
Semantic - Rule checking
Referential - Primary/Foreign Key checking
Entity - Every Tuple has a primary key
Rollback database
Undo changes
Commit and Two-Phase commit?
Submits changes, two phase verifies all servers are responsive that should be first
Aggregation
Taking two pieces of information and combining them to draw a secret conclusion
Inference
The ability to derive information not directly accessible
Content vs Context dependent access control
Content is based on sensitivity of the data
Context is based on the individual having access to all pieces of the answer before getting part of the pieces
Cell Suppression
Hiding cells that could be used in inference attacks
Partitioning the DB
Hides part of the answer here, and another part there
Noise and perturbation
Adding false data to confuse the message
Database Views
Used to give security to specific collections of tables and rows (tuples) without duplicate data
Polyinstantiation
Creating bogus data to throw off legitimate higher data
OLTP
Used to ensure ALL replications of the data are consistent and verified
Data Warehousing
Aggregating key elements of multiple databases into one normalized database used for data mining
Data mining
Mathematical and analytical reporting from a data warehouse
Knowledge discovery in Database (KDD)
Used to classify and collectively organize data mining
Expert Systems
AI, machines that can learn like a human brain
Rule-based programming
Pattern matching to draw up inference in and inference engine
Artificial Neural Network
Computer aided attempt to recreate the human brain
Malware
Malicious software
Virus
A self replicating piece of malware dependent on software
Type of Viruses
Macro - script in application (like excel)
Boot Sector - on boot, you get hosed
Compression - on decompress, bam
Stealth - hidden by faking filesize or moving contents
Polymorphic - generates noise for the virus scanner
Multipart - infects multiple aspects of a virus
Meme - hoax emails
Script - running .vb or .jar from untrusted
Tunneling - Installs under antivirus so it cannot see it
Worm
Self-replication application independent virus
Rootkit
A kit of software making it easier to stay hidden, gather information, and stay accessible by the attacker
Spyware
Information gathers
Adware
Advertisement based malware
Botnet
Bot based attacks commanded by a C&C
Command and Control (C&C)
Used to centrally manage all bots at the same time, often used for DDOS, but many other applications are feasible
Fast Flux
Rapidly change DNS on malicious sites to disguise source
Logic Bombs
“If account disabled, deleted database”
Trojan
A disguised application, ie. notepad.exe
Remote access trojans (rats)
A trojan that installs an agent that gives remote access (subseven or back orifice)
Signature based antivirus
Fingerprint, effective, but there is a ‘long’ delay between when the virus releases and when it is fingerprinted
Heuristic antivirus
Analyzing code and making assumptions it is malware
Static vs Dynamic Analysis
Dynamic is running code, static is not
Behavior Blocking
Allows virus to run, but inhibits ability to function by taking away OS functionality
Immunizer
Makes a particular functionality look infected, to fool the virus
Bayesian filtering
Mathematical logic used to detect patterns
