Domain 8 - Software Development Security Flashcards
Code repositories
- where source code and related artifacts (such as libraries) are stored. Do not commit sensitive information, protect access to code repo, sign your work, keep dev tools (IDE) up to date, most repos use git (most widely used modern version control system)
Code libraries
- improve security and reduce risk, ie certain languages are prone to certain attacks > in lower level languages like C, use of safe memory allocation and string manipulation libraries can reduce risk of buffer overflow attacks. Utility functions that other people have written ie encryption, bulk data transfer, etc.
Runtime
- describes the period of time during which a software program is running, where dynamic application testing (DAST) evaluates the security of an application, assessing software sec at runtime is generally the only option because you don’t have option to the source code, for containers scan at build time and runtime, both source code and runtime scan for apps is best practice when source code is available
CI/CD
- continuous integration continous delivery, how we deliver frequent releases, implement identity and access management (including MFA) to restrict access to pipeline, store secrets securely and scan code to ensure no hard-coded secrets, implement role-based access control (and least privilege access) to the environment, automate vulnerability scanning in ci/cd pipeline, release versioning for tracking and recoverability
Static Application Sec Testing
- analysis of software performed without actually executing the program, tester has access to the underlying framework/design/implementation, requires source code, tests “inside out”
Dynamic application sec testing (DAST)
executes the application, tester has no knowledge of underlying tech or source code, “outside in”
SCM (software configuration management)
baselining aka snapshot of a system/ app, should also create artifacts that may be used to help understand system config
Tables (RDBMS)
- aka relations, contain a number of attributes/ fields. Each one corresponds to a column in the table
Rows (RDBMS)
- aka records or tuples, data record within a table, each row reps a complete record of specific item data
Columns (RDBMS)
- set of data values of a particular type, one value for each row of the database ie “first name” “job title” etc, aka fields or attributes, DEGREES of the table are # of columns
Candidate Keys (RDBMS)
subset of attributes that can be used to uniquely identify any record in a table, no 2 records in the same table will ever contain the same values for all attributes composing a candidate key, ie “student ID” or “Patient number”, can be one or more per table
Primary key (RDBMS)
- selected from set of candidate keys for a table to be used to uniquely identify the records in a table, only one per table, chosen at design time, ie “patient number” or “employee ID”
Foreign Keys (RDBMS)
- enforce relationships between 2 tables, aka referential integrity. Ensures that if one table contains a foreign key, it corresponds to a still existing primary key in the other table in the relationship
Aggregation attack (RDBMS)
- create sensitive information by combining non-sensitive data from separate sources, need to know and least privilege can prevent, based on math usually
Inference attack (RDBMS)
- deduce sensitive information from observing non-sensitive pieces of information, blurring data and database partitioning may prevent this attack, based on human deduction
Primary memory (real memory)
- directly available to CPU aka RAM aka volatile RAM!! Most high performance storage available, ops happening in memory are fast than writing to storage,
Secondary storage
- inexpensive non-volatile storage available for long term use, includes magnetic and optical media ie tapes, disks, hard drives, flash drives, CD/DVD storage
Virtual memory
- allows a system to simulate primary memory resources through the use of secondary storage ie system low on RAM makes a hard disk available for direct CPU addressing
Virtual storage
- simulate secondary storage through the use of primary storage, most common example is RAM disk that presents itself to the OS as secondary storage, provides a very fast file system for apps but no recovery capability
Random access storage
- allows OS to request contents from any point within the media, RAM and Hard Drives
Sequential access storage
- requires scanning through entire media from beginning to reach a specific address, ie magnetic tape, old school magnetic storage backup tapes
Volatile storage
- loses contents when power is removed, ie RAM
Non-volatile storage
- does not depend on presence of power to maintain contents, magnetic/ optical media and nonvolatile RAM (NVRAM)
Expert systems
- consist of 2 systems > knowledge base that contains series of “if/ then” rules > inference engine that uses that information to draw conclusions about other data
Machine learning
- attempt to algorithmically discover knowledge from datasets
Neural networks
- simulate function of the human mind, arrange layered calculations to solve problems, require extensive training on a particular problem before they can offer solutions
Agile
- emphasis on the needs of the customer and quickly developing new functionality that meets those needs in an iterative fashion, RESPONSIVE TO CUSTOMER NEEDS, more responsive than waterfall (opposing strategies), 4 principles!! Individuals/ interactions over processes and tools, working software over comprehensive documentation, customer collaboration over contract negotiation, responding to change over following a plan. Gets to finish line faster since we can pivot quickly
Waterfall
- describes a SEQUENTIAL development process that results in the development of a finished product, less responsive than agile (opposing strategies), 7 stage process that allows return to previous stage for corrections. 7 steps: system requirements > software requirements > preliminary design > detailed design > code and debug > testing > ops and maintenance. Each phase can only go back 1 phase for correction
Spiral
- uses several iterations of waterfall to produce a number of fully specified and tested prototypes. Each loop ends in a new prototype, ITERATIVE
Software development maturity models
- improve maturity and quality of software processes by implementing evolutionary path from ad hoc, chaotic processes, to mature disciplined software processes. Know SE-CM and IDEAL
Capability maturity model (SW-CMM)
- 5 step model for measuring software development: level 1 initial = no plan > level 2 repeatable = basic lifecycle management > level 3 defined = formal and documented SW dev process > level 4 managed = quantitative measures to gain detailed understanding > level 5 optimized = continuous dev process with feedback loops (CI/CD)
IDEAL Model
- model for software development, similar to SW-CMM. STEPS: Initiating = business reasons outlined, support & infra put in place > diagnosing = engineers analyze current state of org & make recs for change > Establishing = org takes recs & develops plan to achieve the changes > Acting = putting the plan into action > Learning = org continuously analyzes efforts/ results and proposes new actions to drive better results
Request Control
- organized framework within which users can request mods, managers can conduct cost/ benefit analysis, and devs can prioritize tasks
Change control
- used by devs to recreate the situation encountered by the user and analyze appropriate changes to remedy the situation
Release control
- once code changes are finalized, they must be approved for release through release control procedure. Should also include acceptance testing to ensure the alterations are understood and functional
Software Testing
- should be tested thoroughly before distributing, programming team should develop special data sets that exercise all paths of the software to the fullest extent possible, can be automated or manual
File infection
- infect different types of executable files and trigger when the OS attempts to execute them ie .exe files
Service injection
- escape detection by injecting into trusted runtime processes of the OS such as svchost.exe, winlogon.exe, and explorer.exe
Boot sector infection
- infects legit boot sector and is loaded into memory during the OS load process
Macro infection
- infect and spread through code in macros ie visual basic for apps in MS Office docs
A/V software
- signature and behavioral based, for signature based it must be updated frequently, behavior based flags/ blocks unusual activity even it doesn’t match known malware signature
Password crackers
- take cred stolen in a breach and extract passwords from it ie hashes
Dictionary attacks
- uses large dictionary file and runs encryption against all words to obtain their encrypted equivalents, type of brute force
Social engineering
- tricking user into giving up their password, security awareness training
Rootkit (escalation of privilege)
- freely available, used as 2nd by attackers to exploit known vulns in various OS enabling attackers to elevate privs
Buffer overflow
- developer does not validate user input to ensure that it is of an appropriate size, too large of input can “overflow” the memory buffer, common in web forms
Backdoor
- undocumented command sequence that can allow individuals to bypass normal access restrictions, often used during development and debugging
Time of check to time of use (TOC/TOU)
- timing vuln that occurs when a program checks access permissions too far in advance of a resource request
Cross site scripting (XSS)
- type of injection where malicious scripts are injected into otherwise benign and trusted websites, attacker uses a web app to send malicious code to a different end user, occur when web apps contain “REFLECTED INPUT”
SQL Injection attacks
- use unexpected input to a web application to gain unauthorized access to an underlying database
Cross Site Request Forgery (CSRF)
attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing
IP Probes
- ping each ip address in a range, systems that respond are logged for further analysis
Port scan
- look for open and listening ports
Vuln scan
- look for specific vulns
Protection rings
- aka hierarchical protection domains, RINGS: Ring 0 = kernal > ring 1 = device drivers > ring 2 = device drivers > ring 3 = applications
Software Development Lifecycle (SDLC)
Real Developers Ideas Take Effort
○ Requirements analysis (SDLC) -
○ Design (SDLC) -
○ Implementation (SDLC) -
○ Testing (SDLC) -
Evolution (SDLC) -
Concentric circle security
- several mutually independent sec applications, processes, or services that operate toward a single common goal, avoids monolithic security stance, EVERY individual sec mechanism has a flaw or workaround, layered defense, COMBINE countermeasures, DEFENSE IN DEPTH
OS attacks
- buffer overflow, OS bugs, unpatched OS
Application level attacks
- overflow, active content, XSS, DoS, SQL injection, session hijacking, phishing
Shrink wrap code attacks
- exploiting holes in unpatched or poorly configured software you buy and install
Misconfiguration attacks
- target poorly or default configured service or device ie wifi router left in default settings