Domain 8 Flashcards
What are all the Software Development Maturity Models
Core Focus: Software Security Assurance
1) CMMI \ SCMM
Capability Maturity Model
INITIAL
Disorganized, no process
REPEATABLE
A life cycle management process is introduced, with Repeatable results. S/W project
planning, tracking, Quality Assurance, etc.
DEFINED
S/W developers operate with formal procedures. More organized.
MANAGED
Detailed understanding of development. Quantitative Process & Quality Management.
OPTIMIZED
The sophisticated S/W development process is there. Feedback oriented. Change Management.
2) Software Assurance Maturity Model (SAMM)
Open source project maintained by OWASP
GOVERNANCE
The activities an organization undertakes to manage its software development process. strategy, metrics, policy, compliance, education, and guidance.
DESIGN
The process used by the organization to define software requirements and create software.
threat modeling, threat assessment,
security requirements, and security architecture.
IMPLEMENTATION
The process of building and deploying software components and
managing flaws in those components.
secure build, secure
deployment, and defect management practices.
VERIFICATION
The set of activities undertaken by the organization to confirm that code meets business and security requirements. This function includes architecture
assessment, requirements-driven testing, and security testing.
OPERATIONS
The actions taken by an organization to maintain security throughout the
software lifecycle after code is released. This function includes incident management,
environment management, and operational management
IDEAL MODELS
Initiating: Business reason for the change is defined.
Diagnosing: Analyze current state of organization
Establishing: Takes general recommendation from diagnosing phase
Acting: Develops solution, test and refine them.
Learning: Must continue to improve
GANTT CHART: Project scheduling is done
Gantt charts use a different format with a row for each task and lines showing the expected duration of the task.
Work breakdown structures are an earlier deliverable that divides project work into achievable tasks.
Wireframe diagrams are used in web design.
NOT RELATED
PERT CHART (Project Evaluation Review Technique):
Size of the product and standard deviation of Risk assessment is calculated.
PERT charts use nodes to represent milestones or deliverables and then show the estimated time to move between milestones.
API
APPLICATION PROGRAMMING INTERFACE
INTRODUCTION TO APIs:
Standalone Web Applications:
Early web applications operated independently, processing user requests and providing outputs without interaction with other services.
Modern Web Applications:
Now, web applications are interconnected, often relying on multiple web services to function. For example, a retail website might integrate with payment processors, social media platforms, shipping services, and referral programs.
- WHAT IS AN API?
An Application Programming Interface (API) allows different software systems to communicate with each other. Web Service interacts with other web services
Instead of interacting with a system through its user interface, developers can use APIs to access the underlying service directly through function calls.
Examples of API Calls:
POST STATUS :
Update a status on a social media platform.
FOLLOW / UNFOLLOW USER:
Manage user connections.
LIKE/FAVORITE A POST:
Interact with content
API Security
Rate limiting is a technique used to control the number of requests a user or service can make to an API within a specific time period (e.g., 100 requests per minute).
SUMMARY
- Limit request rates
- Authentication
- Protect API Key
- Use curl for API interaction
- Testing
1) Limiting request rates can prevent abuse of APIs.
Enforced on the server side
WHY USE RATE LIMITING?
1) PREVENT ABUSE:
By restricting the number of requests, rate limiting helps prevent users from overwhelming the API with excessive traffic, either unintentionally or maliciously [Denial-of-Service (DoS) attacks].
FAIR USAGE: Ensures that all users have fair access to the API, avoiding situations where a single user or service monopolizes the API’s resources.
PROTECTION AGAINST BRUTE FORCE ATTACK: Limits the number of login attempts or data retrievals, reducing the risk of brute force attacks on authentication endpoints.
2) Authentication Requirements:
Public APIs: Some APIs, like those providing weather data or public product inventories, don’t require authentication.
Private/Restricted APIs: APIs that allow modifying data, placing orders, or accessing sensitive information need secure authentication.
API Keys: Authentication is often done using API keys—complex strings provided to authorized users, passed with each API call. The server verifies the API key to ensure the caller is authorized.
3) Developers should protect API Keys (similar to password)
Sensitive Nature:
API keys should be treated like passwords—stored securely and transmitted only over encrypted channels.
If an unauthorized person gains access to your API key, they could perform actions on your behalf.
4) Using CURL for API interactions
WHAT IS CURL?:
Curl is an open-source tool available on major operating systems. It allows users to interact with web services directly from the command line, bypassing the need for a browser.
5) API Security Testing:
Thorough Testing: Like any web application, APIs must be rigorously tested to identify and fix security flaws. This includes testing for common vulnerabilities such as unauthorized access, data exposure, and injection attacks.
What are Botnets used for?
NETWORK SCANNING: Identify vulnerable systems on a network for potential exploitation.
BRUTE FORCE ATTACKS: Attempt to gain unauthorized access to systems by systematically trying different password combinations.
CRYPTOCURRENCY MINING: Illegally mine cryptocurrency using the processing power of infected devices.
SPAM DISTRIBUTION: Send out large volumes of spam messages, often for phishing or spreading malware.
Not Commonly Used for:
Man-in-the-Middle (MitM) Attacks: Typically conducted through DNS poisoning or similar techniques, rather than using botnets.
Macro Virus
Commonly found in office productivity documents, such as Microsoft Word documents that end in the .doc or .docx extension.
They are not commonly found in executable files with the .com or .exe extension.
Polymorphic Virus
Polymorphic viruses mutate each time they infect a system by making adjustments to their code that assists them in evading signature detection mechanisms. Encrypted viruses also mutate from infection to infection but do so by encrypting themselves with different keys on each device.
Referential Integrity
Referential Integrity in Databases:
Referential integrity is a property of relational databases that ensures consistency between tables by enforcing relationships between data in different tables.
Foreign Keys: It is maintained through foreign keys, which link a column in one table (the child) to a primary key in another table (the parent).
Key Rules:
No Orphan Records: Ensures that a foreign key value in the child table must either match a primary key value in the parent table or be null (if allowed).
Cascading Actions: Supports actions like cascade delete or cascade update, where changes to the parent table automatically apply to related records in the child table.
Purpose:
Data Integrity: Prevents invalid data relationships, ensuring that records remain accurate and consistent across tables.
Error Prevention: Stops the insertion of records with foreign keys that do not correspond to existing primary keys, preventing logical errors.
Example:
Employee and Department Tables: If each employee in an Employee table is assigned a department through a foreign key (e.g., DepartmentID), referential integrity ensures that every DepartmentID in the Employee table exists in the Department table.
Overt and Covert Channels
- Overt Channels:
Definition:
Legitimate communication pathways that are designed and intended for data transfer between entities within a system.
Characteristics:
Authorized Use: They are established, documented, and sanctioned for regular operations.
Transparent: Their operations are clear, and their usage is typically monitored and logged.
- Covert Channels:
Definition: Unauthorized communication pathways that enable the transfer of information in a manner that violates the system’s security policy.
Characteristics:
Hidden Communication: Designed to obscure the fact that communication is taking place.
Exploits Legitimate Channels: Often leverage overt channels in unintended ways to hide data transfer.
Difficult to Detect: Their hidden nature makes them challenging to identify and monitor.
Types of Covert Channels:
Covert Timing Channel: Information is conveyed by altering the timing of events or processes.
Example: Modulating the intervals between packets sent over a network to encode data.
Covert Storage Channel: Information is stored or hidden in areas not intended for communication.
Example: Using the least significant bits (LSB) of image files (steganography) to embed hidden messages.
CROSS SITE SCRIPTING ATTACK
Attacks where the malicious user tricks the victim’s web browser into executing a script through the use of a third-party site are known as cross-site scripting (XSS) attacks. This particular attack is a persistent XSS attack because it remains on the discussion forum until an administrator discovers and deletes it, giving it the ability to affect many users.
The code that Linda discovered in the message is a definitive example of an attempt to conduct cross-site scripting, and the alert box that she received demonstrates that the vulnerability exists.
ALERT :
alert('Alert');</script?
The script that Linda discovered merely pops up a message on a user’s screen and does not perform any more malicious action. This type of script, using an alert() call, is commonly used to probe websites for cross-site scripting vulnerabilities.
MITIGATION
Web application firewalls (WAFs) sit in front of web applications and watch for potentially malicious web attacks, including cross-site scripting. They then block that traffic from reaching the web application.
Input validation verifies that user-supplied input does not violate security conditions and is the most effective defense against cross-site scripting attacks
Cross-site scripting (XSS) attacks may take advantage of the use of reflected input in a web application where input provided by one user is displayed to another user.
IDE
Integrated Development Environment (IDE):
DEFINITION:
A software application that provides comprehensive facilities to computer programmers for software development.
Components:
SOURCE CODE EDITOR:
A text editor designed for writing and editing source code.
DEBUGGER:
A tool that helps developers test and debug their code.
COMPILER (High level lang into binary
INTEPRETER (Direct execution without conversion and meant for heterogenous environment)
Converts source code into executable code.
BUILD AUTOMATION TOOLS :
Facilitates tasks like compiling, packaging, and running tests.
VERSION CONTROL INTEGRATION:
Allows for code versioning and collaboration among developers.
Database
Lost updates
occur when one transaction writes a value to the database that overwrites a value needed by transactions that have earlier precedence, causing those transactions to read an incorrect value.
Dirty reads
occur when one transaction reads a value from a database that was written by another transaction that did not commit.
Incorrect summaries
occur when one transaction is using an aggregate function to summarize data stored in a database while a second transaction is making modifications to the database, causing the summary to include incorrect information.
Session Hijacking
Transport Layer Security (TLS) provides the most effective defense against session hijacking because it encrypts all traffic between the client and server, preventing the attacker from stealing session credentials
Polyinstantiation
allows the storage of multiple different pieces of information in a database at different classification levels to prevent attackers from inferring anything about the absence of information.
