Domain 8 Flashcards
What is software security?
- Security is most effective when planned and implemented throughout the entire lifecycle
- the goal is to ensure data and software integrity, confidentiality, and availability
- current applications and operating systems are vulnerable because adequate controls are not in place
Must include security in the entire development lifecycle from initial design to final quality assurance
What are capability maturity models?
How mature is your software development process? Do you have a process?
Capability maturity models are developed through surveying and analyzing numerous organizations to determine characteristics associated with effective processes.
What is CMMI? Capability Maturity model integration - focused on quality management practices and established a basis for evaluation of the development process.
**know carnegie mellon CMMI maturity levels for the exam - this was created for improving processes for software development but has expanded to encompass more.
What are the CMMI levels?
Capability Maturity Model Integration (CMMI)
**memorize these 5
Level 1: Initial - software process is characterized as ad hoc, and occasionally even chaotic. Few processes are defined, and success depends on individual effort and heroics
Level 2: managed - basic project management processes are established to track cost, schedule and functionality. The necessary process discipline is in place to repeat earlier success on projects with similar applications
Level 3: defined - the software process for both management and engineering activities is documented, standardized ,and integrated into a standard software process for the organization. All projects use an approved, tailored version of the organization’s standard software process for developing and maintaining software.
Level 4: quantitatively managed - detailed measures of the software process and product quality are collected. Both the software process and products are quantitatively understood and controlled.
Level 5: Optimizing - continuous process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies
What is SDLC?
It was created to ensure software was developed in an orderly fashion and to ensure completeness.
Stages:
- initiation and planning
- definition of requirements
- design specifications
- actual development and documentation of applications
- testing evaluation and acceptance
What is waterfall SDLC?
Divides a software development project into well-defined sequential stages with specific milestones at each of the stages. After all phases are complete, the product is delivered.
Most direct toward the objectives with the shortest development time and cost possible.
after each phase is completed, it is closed and not revisited. There is no customer involvement.
cannot go back and revert back. even if you know you messed up.
any delays cascade down
Drawbacks:
- little flexibility in changing the scope of a project because you can only revert back on stage and no more
- system shortcomings may not be discovered until the product is finally released for use in production
Verification - ensure that the product being developed meets specifications
Validations - ensures that the product solves a real world problem or its operational mission
What is spiral SDLC?
Phases occur in order, but in an ever-widening spiral of larger and larger activity - phases are repeated over and over
Risk is a driving factor behind the spiral model - risk is mainly project failure
Managing risk is what spiral is for. **see spiral look for the word risk on the exam
each spiral is a new project plan and you take lessons learned from previous spiral and apply it and expand more and more. think the honda hybrid car example
What is software prototyping (SDLC)?
development of a working model or mock up for review
- functionality of the prototype varies considerably
- could simply be nonoperational mock-up
subsequent refinement of model based on feedback form both users and developers
prototyping typically implies frequent customer / client interaction throughout the project
what is Agile SDLC?
Pair programming - two developers coding from on machine in which the second developer reviews codes as it is written
continuous integration - integrating multiple developers contributions back into the main project can be a cause of issues. Continuous integration seeks to address the problem by regularly integrating developer contributions back into the main branch and thereby finding out about issues earlier
continuous deployment - similar to continuous integration, but the code is actually deployed into production rather than just pushed back into the main branch
two more formal manifestations of agile are extreme programming (XP) and scrum
gives you speed. responds to change vs. following a plan. you can go back and fix something when it is wrong. find the bug and fix it when you find it.
What is extreme programming (XP) SDLC?
An agile development method.
- Paired programming - work off a detailed specification
- — one programs while the other assists and verifies adherence to the spec. you work off the spec.
- — thw two may swap places from time to time.
- — one programmer programs, the other watches and makes sure there are no bugs. They must follow the spec and how detailed it is.
- high level of customer involvement
- detailed test procedures
Total customer involvement - customer is always available and carefully monitors the project
What is Scrum? SDLC
An agile method
Scrums contain small teams of developers, called the Scrum team.
The team tries to go the distance as a unit, passing the ball back and forth as you need. Conrad is working the code, he is stuck, Jim comes in. Other people come in and take over. Like in rugby you all run down the field together and pass back if you need to hand off to someone to keep going the distance
Scrum master - senior manager of the org who acts as a coach for the team - acts as a mentor, clears out business issues, gets funding
The product owner represents the business unit
What are programming tools?
CASE tools - the code writes the code. CASE = computer aided software engineering tools - they are used to develop application systems faster and to increase programmers and analysts productivity
IDE: an integrated development environment provides a workspace for the developer and typically allows code editing, debugging, and compiling/building
- many IDEs attempt to provide features to increase efficiency, and perhaps avoid defects
- IDEs are usually built to support only one or more specific languages
- eclipse and MS visual studio are two popular IDEs
What is DevOps (Development + Operations) SDLC?
Seeks better understanding, communication and integration among the development and operations portions of the organization. In addition to providing flaws, this approach also seeks to streamline the process of deploying an application into operations, which can make for more efficient application updates.
seeks to address issues that can arise from the separation of development and the operational environment - successfully deployed application in operations is the product, not simply the code - application issues can stem from code, but can also stem from the operational environment
focus involves closer integration of development and operations and typically establishes known and consistent environments - avoids issues and allows for more efficient delivery of app updates.
developers do not implement security features. They can put their code into production but you still have production security. You write better code if you see the response. security people still play their role. Developers do not take on any security function, they assist production and have a closer relationship with the code. Developers are there but they do not implement security features.
What is SD3+C?
stands for secure by design, by default, by deployment, and communications.
It is the centerpiece of Microsoft security development lifecycle
- incorporates security through all phases of the product lifecycle
Secure by default:
- least privilege
- defense in depth
- conservative default settings
- avoidance of risk default changes
- less commonly used services off by default
secure in deployment:
- deployment guides
- analysis and management tool`s
- patch deployment tools
What is the software environment?
It is important to the security of operations on information systems since this is where exploits affect the most. The software environment is involved in the control, restrictions and access to exploitable areas.
The software environment must be set before computer operations can be conducted.
This environment can have an impact on the security of the application.
What are application architectures?
The first element of software environment is understanding the application architecture.
Distributed computing:
- client/server - allows the use of server based applications by interfacing via the client
- 3-tier - most commonly associated with web applications (web front end, middle-ware, Back-end data store)
- peer-to-peer - each endpoint equally capable. **integrity is usually the answer for peer to peer (think of napster) - searching for files was client/server - the download was peer to peer. - how do you know you have all the data, need hashing and that provides integrity
**middleware - this is applications talking to applications, like a thin client
What are remote procedure calls?
When a client sends input to a remote system process to carry out an action in distributed applications. However, when a process interfaces with a remote running process, this can be an example of a remote procedure call (RPC)
Common object request broker architecture (CORBA) is a traditional solution to this problem to coordinating the communication.
What is peer to peer (P2P)?
Peer to peer is when applications have equal capabilities and responsibilities, and there is no main controller. Exchange is permitted between applications or systems, even though there is no central enforcement that prevents such an exchange. The control is delegated to each of the peers and security is difficult to maintain.
It is decentralized. Deviates from the traditional client/server architecture by allowing each system to operate as both client and server.
P2P architecture does not necessitate central servers.
It is fully decentralized architecture and can provide for increased resiliency and availability in the face of failures.
Think integrity - you must hash to know the integrity of the data.
What are software environment issues?
Open Source:
- public development and scrutiny can lead to more secure environments
- source code is publicly available
- Apache, linux - can I see the source code, dont need a license.
- can I view the source code legally and publicly
Closed Source:
- source code is proprietary
- third party access may be provided by an NDA
“Free” Software:
- freedom to change the
Can I view the source code?
Can I change it?
Do I pay for it?
Ganu public license: (GPL)
- free squared - free of charge and free to change. If you change it, you must share your changes
What is disclosure?
Responsible Disclosure:
- Privately notify a vendor if you discover a security flaw in a source code
- vendor must act responsibly by fixing the flaw in a reasonable amount of time and not threaten legal action against the researcher
- *** exam wants responsible disclosure - you can full disclose but only after a very reasonable amount of time
Full Disclosure:
- intentional public release of bugs and exploit code to force security issues
- serious flaws tend to get fixed quickly, but collateral damage may occur
- happens because vendors were ignoring when people would tell the vendor about a bug
- exploit is now out before the patch - the bad guys know about it and worms come out
What are general security principles for a development environment?
Authorization
- all personnel should have proper authorization
Risk Reduction
- code review
DevOps has blurred the separation of duties between developers and operations
- development staff support operations and security
- developers do not directly manage security functions
Accountability
- No access directly to database
- Production data managed by users, not support staff
- All access to production data should be logged
Least Privilege:
- access given to necessary data only
Layered defense:
- multiple controls
What are some software vulnerabilities?
- Privilege Escalation
- Buffer Overflow
- Integer Overflow
- SQL Injection
- XSS
What is privilege escalation?
Increases a users or processes privilege, typically to a superuser level
Most privilege escalation attacks require non-privileged local access
- setuid root programs are a frequent target of privilege escalation attacks
What is a buffer overflow?
Occurs when a programmer fails to perform bounds checking. You smash the stack. May allow an attacker to write arbitrary data to the stack, including machine code. There are a number of mechanisms for executing that code, including overwriting the return pointer to jump the code.
Allows an attacker to write more than the byte limit in a data field. The extra characters past the end of the buffer are written to the stack. You then write arbitrary content to memory including machine code
What is a memory leak?
Memory leaks occur in applications that request and later improperly release memory.
Most common symptom: ever growing memory footprint of an application - usually leading to application DoS
Sensitive information can also be divulged via memory leaks.
Memory leaks lead to DoS, meaning availability is at risk but can also risk confidentiality by exposing sensitive data.
