Domain 8 - Software Development Security Flashcards
System Development Life Cycle (SDLC)
Project initiation
Functional analysis and planning
System design specifications
Acceptance testing and implementation
System Life Cycle (SLC) (extends beyond SDLC)
Operations and maintenance
Revisions/ Disposal
Project initiation
Feasibility, cost, risk analysis, Management approval, basic security objectives
Functional analysis and planning
Define need, requirements, review proposed security controls
System design specifications
Develop detailed design specs, Review support documentation, Examine security controls
Software development
Programmers develop code. Unit testing Check modules. Prototyping, Verification, Validation
Acceptance testing and implementation
Separation of duties, security testing, data validation, bounds checking, certification, accreditation , part of release control
Operations and maintenance
release into production. Certification/accreditation
Revisions/ Disposal
remove. Sanitation and destruction of unneeded data
Change Management Process
Together, change and configuration management techniques form an important part of the software engineer’s arsenal and protect the organization from development-related security issues. The change management process has three basic components:
Three basic components of the Change Management Process
Request Control
Change Control
Release Control
Request Control
provides an organized framework within which users can request modifications, managers can conduct cost/ benefit analysis, and developers can prioritize tasks.
Change Control
provides an organized framework within which multiple developers can create and test a solution prior to rolling it out into a production environment. Change control includes conforming to quality control restrictions, developing tools for update or change deployment, properly documenting any coded changes, and rest
Release Control
Once the changes are finalized, they must be approved for release through the release control procedure.
Configuration Management Process
This process is used to control the version( s) of software used throughout an organization and formally track and control changes
Configuration Identification
administrators document the configuration of covered software products throughout the organization.
Configuration Control
ensures that changes to software versions are made in accordance with the change control and configuration management policies. Updates can be made only from authorized distributions in accordance with those policies.
Configuration Status Accounting
Formalized procedures are used to keep track of all authorized changes that take place.
Configuration Audit
periodic configuration audit should be conducted to ensure that the actual production environment is consistent with the accounting records and that no unauthorized configuration changes have taken place.
SDLC
Conceptual definition Functional requirements definition Control specifications development Design review Code review System test review Maintenance and change management
Software Capability Maturity model (CMM)
Quality of software is a direct function of quality of development and maintenance
Defined by Carnegie Mellon University SEI (Software Engineering Institute)
Describes procedures, principles, and practices that underlie software development process maturity 1-2 REACTIVE, 3-5 PROACTIVE
List the 5 steps of the Software Capability Maturity model (CMM).
- initiating – competent people, informal processes, adhoc, absence of formal process
- repeatable – project management processes, basic lifecycle management processes
- defined – engineering processes, presence of basic lifecycle management processes and reuse of code, use of requirements management, software project planning, quality assurance, configuration management practices
- managed – product and process improvement, quantitatively controlled
- Optimizing – continuous process improvement
Works with an IDEAL model.
Initiate begin effort, Diagnose perform assessment, Establish an action plan, Action implement improvements, Leverage reassesses and continuously improve
Project Management Tools
Gantt Chart
PERT
Gantt Chart
a type of bar chart that shows the interrelationships over time between projects and schedules. It provides a graphical illustration of a schedule that helps to plan, coordinate, and track specific tasks in a project. WBS a subpart
PERT
Program Evaluation Review Technique is a projectscheduling tool used to judge the size of a software product in development and calculate the standard deviation (SD) for risk assessment. PERT relates the estimated lowest possible size, the most likely size, and the highest possible size of each component. PERT is used to direct improvements to project management and software coding in order to produce more efficient software.
DevOps
The DevOps approach seeks to resolve issues by bringing the three functions together in a single operational model.
The word DevOps is a combination of Development and Operations, symbolizing that these functions must merge and cooperate to meet business requirements. Integrates:
- Software Development,
- Quality Assurance
- IT Operations
NOT SECURITY
Software
Software Development Models
Simplistic model Waterfall model Waterfall including Validation and Verification (V&V) Spiral model Cleanroom Cleanroom design
Simplistic model
This model was simplistic in that it assumed that each step could be completed and finalized without any effect from the later stages that may require rework
Waterfall model
Can be managed if developers are limited going back only one step. If rework may be done at any stage it’s not manageable. Problem: it assumes that a phase or stage ends at a specific time. System Requirements-> Software Requirements -> Analysis -> Program Design -> Coding -> Testing -> Operations & Maintenance
Waterfall including Validation and Verification (V&V)
Reinterpretation of the waterfall model where verification evaluates the product during development against specification and validation refers to the work product satisfying the real-world requirements and concepts. Verification=doing the job right Validation:= doing the right job
Spiral model
Angular = progress made Radial = cost
Lower left = development plans
Upper left = objectives of the plans, alternatives checked
Upper right = assessing alternatives, risk analysis Lower right = final development
Left horizontal axis = includes the major review required to complete each full cycle
Agile Software Development
Developers increasingly embraced approaches that placed an emphasis on the needs of the customer and on quickly developing new functionality that meets those needs in an iterative fashion.
- Individuals and interactions over processes and tools
- Working software over comprehensive documentation
- Customer collaboration over contract negotiation
- Responding to change over following a plan
WORKING SOFTWARE PRIMARY MEASURE OF SUCCESS
Database
general mechanism for defining, storing and manipulating data without writing specific programs
DBMS
refers to a suite of software programs that maintains and provides controlled access to data components store in rows and columns of a table
Types of Database Systems
- Hierarchical= tree (sons with only one parent), one to many relationship
- Network = tree (all interconnected)
- Mesh
- Object-orientated
- Relational – one-to-one relationships, has DDL and DML, has TUPLES and ATTRIBUTES (rows and columns)
- Key-Value Store - key-value database, is a data storage paradigm designed for storing, retrieving, and managing associative arrays, a data structure more commonly known today as a dictionary or hash.
DDL
Data definition language defines structure and schema
DML
Data manipulation language view, manipulate and use the database via VIEW, ADD, MODIFY, SORT and DELETE commands.
Degree of Db
–number of attributes (columns) in table
Tuple
row or record
DDE
Dynamic data exchange enables applications to work in a client/server model by providing the inter-process communications mechanism (IPC)
DCL
Data control language subset of SQL used to control access to data in a database, using GRANT and REVOKE statements
Semantic integrity
make sure that the structural and semantic rules are enforced on all data types, logical values that could adversely affect the structure of the database
Referential integrity
all foreign keys reference existing primary keys
Candidate Key
an attribute that is a unique identifier within a given table, one of the candidate keys is chosen to be the primary key and the others are alternate keys, A candidate key is a subset of attributes that can be used to uniquely identify any record in a table. No two records in the same table will ever contain the same values for all attributes composing a candidate key. Each table may have one or more candidate keys, which are chosen from column headings.
Primary Key
provide the sole tuple-level addressing mechanism within the relational model. Cannot contain a null value and cannot change or become null during the life of each entity. When the primary key of one relation is used as an attribute in another relation, it is the foreign key in that relation. Uniquely identify a record in a database
Foreign Key
represents a reference to an entry in some other table that is a primary key there. Link between the foreign and primary keys represents the relationship between the tuples. Enforces referential integrity
Main Components of a Db using Db
- Schemas; blueprints
- tables
- views
Incorrect Summaries
when one transaction is using an aggregate function to summarize data stored in a Db while a second transaction is making modifications to a Db, causing summary to include incorrect information
Dirty Reads
when one transaction reads a value from a Db that was written by another transaction that did not commit, Db concurrency issue
Lost Updates
when one transaction writes a value to the Db that overwrites a value needed by transactions that have earlier precedence
Dynamic Lifetime Objects
Objects created on the fly by software in an Object Oriented Programming environment. An object is preassembled code that is a self-contained module
ODBC
Open Database Connectivity is a database feature that allows applications to communicate with different types of databases without having to be directly programmed for interaction with each type. ODBC acts as a proxy
Multilevel security
it’s essential that admins and developers strive to keep data with different security requirements separate.
Database contamination
Mixing data with different classification levels and/ or need-to-know requirements and is a significant security challenge. Often, administrators will deploy a trusted front end to add multilevel security to a legacy or insecure DBMS.
Database partitioning
is the process of splitting a single database into multiple parts, each with a unique and distinct security level or type of content.
Polyinstantiation
occurs when two or more rows in the same relational database table appear to have identical primary key elements but contain different data for use at differing classification levels. It is often used as a defense against inference attacks
Database transactions
Four required characteristics: atomicity, consistency, isolation, and durability. Together, these attributes are known as the ACID model, which is a critical concept in the development of database management systems.
Atomicity
Database transactions must be atomic— that is, they must be an “all-or-nothing” affair. If any part of the transaction fails, the entire transaction must be rolled back as if it never occurred.
Consistency
All transactions must begin operating in an environment that is consistent with all of the database’s rules (for example, all records have a unique primary key). When the transaction is complete, the database must again be consistent with the rules, regardless of whether those rules were violated during the processing of the transaction itself. No other transaction should ever be able to use any inconsistent data that might be generated during the execution of another transaction.
Isolation
principle requires that transactions operate separately from each other. If a database receives two SQL transactions that modify the same data, one transaction must be completed in its entirety before the other transaction is allowed to modify the same data. This prevents one transaction from working with invalid data generated as an intermediate step by another transaction
Durability
Database transactions must be durable. That is, once they are committed to the database, they must be preserved. Databases ensure durability through the use of backup mechanisms, such as transaction logs.
Expert Systems
Expert systems seek to embody the accumulated knowledge of experts on a particular subject and apply it in a consistent fashion to future decisions. Every expert system has two main components: the knowledge base and the inference engine.
- Based on human reasoning
- Knowledge base of the domain in the form of rules
- If-then statements=called forward chaining
- Priority in rules are called salience
- Interference system = decision program
- Expert system = inference engine + knowledge base - Degree of uncertainty handled by approaches as Bayesian networks(probability of events), certainty factors(probability an event is true) or fuzzy logic(to develop conclusions)
- Two modes:
o Forward chaining: acquires info and comes to a conclusion
o Backward chaining: backtracks to determine IF a hypothesis is correct
Neural Networks
- Use complex computations to replace partial functions of the human mind
- Based on function of biologic neurons
- Works with weighted inputs
- If a threshold is exceeded there will be output
- Single-layer : only one level of summoning codes
- Multi-level: more levels of summoning codes
- Training period needed to determine input vectors
- adaptability (learning process)
Programming Language Generations
First-generation Second-generation Third-generation Fourth-generation Fifth-generation
First-generation languages (1GL)
include all machine languages
Second-generation languages (2GL)
include all assembly languages.
Third-generation languages (3GL)
include all compiled languages.
Fourth-generation languages (4GL)
attempt to approximate natural languages and include SQL, which is used by databases.
Fifth-generation languages (5GL)
allow programmers to create code using visual interfaces.
Compiler
Translates higher level program into an executable file
Interpreter
reads higher level code, one line at the time to produce machine instructions
Assembler
converts machine-code into binary machine instructions. Translate assembly language into machine language
Object Orientated Technology
Objects behave as a black box; they are encapsulated to perform an action. Can be substituted if they have compatible operations. It can store objects like video and pictures
Encapsulation (Data Hiding)
only data it needs, no accidental access to data
Message
communication to object to perform an action
Method
code that defines an action an object performs in response to a message
Behavior
results exhibited by an object in response to a msg.
Class
collection of methods that defines the behavior of objects
Instance
- objects are instances of classes that contain their methods
Inheritance
allows a subclass to access methods belonging to a superclass
Multiple Inheritance
class inherits characteristics from more than one parent class
Delegation
forwarding a request to another object Polymorphism: objects of many different classes that are related by some common super class. When different subclasses may have different methods using the same interfaces that respond differently
OORA, Requirements Analysis
defines classes of objects and their interactions
OOA, Analysis
understanding and modeling a particular problem Domain Analysis (DA) seeks to identify classes and objects that are common to all applications in a domain
OOD, Design
Objects are the basic units, and instances of classes
OOP, Programming
employment of objects and methods If class = airplane, objects like fighter plane, cargo plane, passenger plane can be created. Method would be what a plane would do with a message like: climb, dive, and roll.
ORBs, Object Request Brokers
middleware that acts as locators and distributors of the objects across networks.
CORBA, Common object request
broker architecture enables programs written in different languages and using different platforms and OS’s through IDL (Interface Definition Language)
COM, Common Object Model
support exchange of objects amongst programs. This used to be called OLE. DCOM is the network variant (distributed)
Conclusion
Object orientation (e.g. with C++ and Smalltalk) supports reuse of objects and reduces development risk, natural in its representation of real world entities.
Cohesion
ability to perform without use of other programs, strength of the relationship between the purposes of methods within the same class
High cohesion
without use of other modules
Low cohesion
must interact with other modules
Coupling
effect on other modules. Level of interaction between objects
High coupling
module largely affects many more modules
Low coupling
it doesn’t affect many other modules
Technical
Technical Security Protection Mechanisms
Abstraction Separation of privilege Process isolation Layering processes Hardware segmentation
Abstraction
one of the fundamental principles behind objectoriented programming. It is the “black-box” doctrine that says that users of an object (or operating system component) don’t necessarily need to know the details of how the object works; they need to know just the proper syntax for using the object and the type of data that will be returned as a result
Separation of privilege
builds on the principle of least privilege. It requires the use of granular access permissions; that is, different permissions for each type of privileged operation. This allows designers to assign some processes rights to perform certain supervisory functions without granting them unrestricted access to the system.
Process isolation
requires that the operating system provide separate memory spaces for each process’s instructions and data. It also requires that the operating system enforce those boundaries, preventing one process from reading or writing data that belongs to another process.
- It prevents unauthorized data access. Process isolation is one of the fundamental requirements in a multilevel security mode system.
- It protects the integrity of processes.
Layering processes
you implement a structure similar to the ring model used for operating modes and apply it to each operating system process
Hardware segmentation
is similar to process isolation in purpose. Difference is that hardware segmentation enforces these requirements through the use of physical hardware controls rather than the logical process isolation controls imposed by an operating system.
Covert channels
Is a way to receive information in an unauthorized manner, information flood that is not protected by a security mechanism 2 types
Countermeasures: eal6 systems have less than eal3 systems because covert channels are normally a flaw in design.
Storage covert channel
processes communicate via storage space on the system
Covert timing channel
one process relays to another by modulating its use of system resources. Typing rhythm of Morse Code is an example
Mobile code
Java
ActiveX
Java
sandboxes, no warnings, programs are compiled to bytecode
ActiveX
Authenticode, relies on digital signatures, annoying dialogs people click away
Virus
reproduces using a host application. It inserts or attaches itself to the file, spread thru infected media
Worm
reproduces on its own without host application
Logic Bomb/Code Bomb
executes when a certain event happens (like accessing a bank account or employee being fired) or a data/time occurs
Trojan Horse
program disguised as a useful program/tool
HOAXES
False warnings like: DON’T OPEN X SEND TO ALL YOUR COLLEGUES
RAT, Remote Access Trojan
remote control programs that have the malicious code and allow for unauthorized remote access Back orifice, sub seven, net bus )
Buffer Overflow
Excessive information provided to a memory buffer without appropriate bounds checking which can result in an elevation of privilege. If executable code is loaded into the overflow, it will be run as if it were the program. Buffer overflows can be detected by disassembling programs and looking at their operations. Buffer overflows must be corrected by the programmer or by directly patching system memory.
Trap Door
An undocumented access path through a system. This typically bypasses the normal security mechanisms and is to plant any of the malicious code forms
Backdoor
program installed by an attacker to enable him to come back on a later date without going through the proper authorization channels , maintenance hook for developers sometimes
Covert Channel
a way to receive information in an unauthorized manner. Information flood that is not protected by a security mechanism.
Covert Storage Channel
Writing to storage by one process and reading by another of lower security level.
Covert Timing Channel
One process relays to another by modulating its use of system resources.
LOKI
a tool used for covert channel that writes data directly after the ICMP header
Botnet
compromise thousands of systems with zombie codes can be used in DDOS attacks or spammers, send spam messages, conduct brute force attacks, scan for vulnerable systems
Directory Traversal Attack
attacker attempts to force the web application to navigate up the file hierarchy and retrieve a file that should not normally be provided to a web user
Macro Virus
Most common in office productivity documents .doc/.docx
MDM, Mobile device management
a software solution to manage the myriad mobile devices that employees use to access company resources. The goals of MDM are to improve security, provide monitoring, enable remote management, and support troubleshooting.
Collisions
two different files produce the same result from a hashing operation
Boot sector virus
moves or overwrites the boot sector with the virus code.
System infector virus
infects BIOS command other system files. It is often a memory resident virus
Phlashing virus
- a malicious variation of official BIOS or firmware is installed that introduces remote control or other malicious features into a device. UEFI – replacement for BIOS
Compression virus
appended to executables
Companion virus
A specific type of virus where the infected code is stored not in the host program, but in a separate ‘companion’ files. For example, the virus might rename the standard NOTEPAD.EXE file to NOTEPAD.EXD and create a new NOTEPAD.EXE containing the virus code. When the user subsequently runs the Notepad application, the virus will run first and then pass control to the original program, so the user doesn’t see anything suspicious. Takes advantage of search order of an OS
Stealth virus
hides modifications to files or boot records and itself
Multipart virus
infects both the boot sector and executable files; becomes resident first in memory and then infects the boot sector and finally the entire system, uses two or more propagation mechanisms
Self-garbling virus
attempts to hide by garbling its code; as it spreads, it changes the way its code is encoded
Polymorphic virus
this is also a self-garbling virus where the virus changes the “garble” pattern each time is spreads. As a result, it is also difficult to detect.
Macro virus
usually written in Word Basic, Visual Basic or VBScript and used with MS Office
Resident virus
Virus that loads when a program loads in memory
Master boot record /boot sector virus
- (MBR) virus attack the MBR— the portion of bootable media (such as a hard disk, USB drive, or CD/ DVD) that the computer uses to load the operating system during the boot process. Because the MBR is extremely small (usually 512 bytes), it can’t contain all the code required to implement the virus’s propagation and destructive functions. To bypass this space limitation, MBR viruses store the majority of their code on another portion of the storage media. When the system reads the infected MBR, the virus instructs it to read and execute the code stored in this alternate location, thereby loading the entire virus into memory and potentially triggering the delivery of the virus’s payload
Non-resident virus
attached to .exe
Signature based ANTI-Virus
cannot detect new malware
Heuristic ANTI-Virus
behavioral can detect new malware
Threats
Natural (Fires, explosions water, storm)
Man-made (bombing, strikes, toxin spills)
Protection domain
Execution and memory space assigned to each process
TRUSTED COMPUTER BASE
Combination of protection systems within a computer system, which include the hardware, software and firmware that are trusted to enforce the security policy.
Security Kernel
hardware, software, firmware, elements of TCB that implement the reference monitor concept — must be isolated from reference monitor (reference monitor: isolation, completeness and verifiability, that compares the security labels of subjects and objects)
Multistate systems
capable of implementing a much higher level of security. These systems are certified to handle multiple security levels simultaneously by using specialized mechanisms
Protection rings
(MIT’s MULTICS design) Ring 0 - Operating system kernel. The OS’ core. The kernel manages the HW (for example, processor cycles and memory) and supplies fundamental services that the HW does not provide.
Ring 1 - Remaining parts of the operating system Ring 2 - I/O drivers and utilities
Ring 3 - Applications and programs
Layers 1 and 2 contain device drivers but are not normally implemented in practice.
Layer 3 contains user applications.
Layer 4 does not exist.
CSRF (XSRF)
Cross site request forgery, attacks exploit the trust that sites have in a user’s browser by attempting to force the submission of authenticated request to third-party sites.
Cross-site Scripting
uses reflected input to trick a user’s browser into executing untrusted code from a trusted site
Session Hijacking
attempt to steal previously authenticated sessions but do not force the browser to submit request.
SQL Injection
directly attacks a database through a web app,, CARROT’1=1;– quotation mark to escape out of input field
Blue Screen of Death
when a Windows system experiences a dangerous failure and enters a full secure state (reboot)
Hotfix, update, Security fix
– single patch, patches provide updates to operating systems and applications
Service Pack
collection of unrelated patches released in a large collection
Patch management system
prevents outages from known attacks by ensuring systems are patched. Patches aren’t available for new attacks. However, the patch management system doesn’t provide the updates. Ensuring systems are patched reduces vulnerabilities but it does not eliminate them
Code Review
peer-driven process that includes multiple developers, may be automated, may review several hundred lines of code an hour, done after code developed
Strong Passwords
social engineering best attack method to beat
Threat Modeling
reduce the number of security-related design and coding flaws, reduce severity of non-security related files, not to reduce number of threat vectors
Aggregate
summarize large amounts of data and provide only summary information as a result
Port Scan
attacking system sends connection attempts to the targets system against a series of commonly used ports
JavaScript
an interpreted language that does not make use of a complier to transform code into an executable state. Java, C, and C++ are all compiled languages
Open system
one with published APIs that allow third parties to develop products to interact with it
Closed system
one that is proprietary with no third-party product support, does not define if it’s code can be viewed
Open source
a coding stance that allows others to view the source code of a program, distributed free or for a fee
Closed source
an opposing coding stance that keeps source code confidential. can be reverse engineered or decompiled
API Keys
like passwords and should be treated as very sensitive information. They should always be stored in secure locations and transmitted only over encrypted communications channels. If someone gains access to your API key, they can interact with a web service as if they were you! Limit access to API
Nessus
a popular vulnerability scanner managed by Tenable Network Security, and it combines multiple techniques to detect a wide range of vulnerabilities. It uses port scans to detect open ports and identify the services and protocols that are likely running on these systems. Once Nessus discovers basic details about systems, it can then follow up with queries to test the systems for known vulnerabilities, such as if the system is up-to-date with current patches. Attacker can use to best identify vulnerabilities in a targeted syste
CASE
tool for development, if concerned about security
OWASP
Open Web Application Security Project, most authoritative source on web application security issues
Shadow Password File
- , /etc./ shadow. This file contains the true encrypted PWs of each user, but it is not accessible to anyone but the administrator. The publicly accessible /etc./ passwd file then simply contains a list of usernames without the data necessary to mount a dictionary attack. “x”
User Mode
processor mode used to run the system tools used by admins to make configuration changes to a machine
Kernel Mode
used by processor to execute instructions from OS
