Domain 8: Software Development Security Flashcards
Change management process has three basic components:
Request Control/Change Control/Release Control
Request Control
Provides an organized framework within which users can request modifications,
managers can conduct cost/ benefit analysis, and developers can prioritize tasks.
Change Control
Provides an organized framework within which multiple developers can create and
test a solution prior to rolling it out into a production environment. Change control includes
conforming to quality control restrictions, developing tools for update or change deployment, properly
documenting any coded changes, and restricting the effects of new code to minimize diminishment of
security.
Release Control
Once the changes are finalized, they must be approved for release through the release control procedure.
Configuration Identification
Administrators document the configuration of covered software products throughout the organization.
Configuration Control
Ensures that changes to software versions are made in accordance with the
change control and configuration management policies. Updates can be made only from authorized
distributions in accordance with those policies.
Configuration Status Accounting
Formalized procedures are used to keep track of all authorized changes that take place
Configuration Audit
Periodic configuration audit should be conducted to ensure that the actual
production environment is consistent with the accounting records and that no unauthorized
configuration changes have taken place
5 levels of SW-CMM
initiating , repeatable, defined, managed, Optimizing
initiating
competent people, informal processes, ad-hoc, absence of formal process
repeatable
project management processes, basic life-cycle management processes
defined
Engineering processes, presence of basic life-cycle management processes and reuse
of code, use of requirements management, software project planning, quality assurance,
configuration management practices
managed
product and process improvement, quantitatively controlled
Optimizing
continuous process improvement Works with an IDEAL model.
IDEAL Model
Initiate , Diagnose, Establish an action plan,, Action implement improvements, , Leverage reassesses and continuously improve
PERT
Program Evaluation Review Technique is a project-scheduling tool used to judge the size of a
software product in development and calculate the standard deviation (SD) for risk assessment. PERT
relates the estimated lowest possible size, the most likely size, and the highest possible size of each
component. PERT is used to direct improvements to project management and software coding in order
to produce more efficient software
DevOps
The word DevOps is a combination of Development and Operations, symbolizing
that these functions must merge and cooperate to meet business requirements.
Integrates:
• Software Development,
• Quality Assurance
• IT Operations
DBMS
Refers to a suite of software programs that maintains and provides controlled access to data
components store in rows and columns of a table
Relational
One-to-one relationships, has DDL and DML, has TUPLES and ATTRIBUTES
(rows and columns)
Key-Value Store
key-value database, is a data storage paradigm designed for storing,
retrieving, and managing associative arrays, a data structure more commonly known today as a
dictionary or hash.
DDL – Data definition language
defines structure and schema
DML – Data manipulation language
View, manipulate and use the database via VIEW, ADD,
MODIFY, SORT and DELETE commands.
Degree of Db
Number of attributes (columns) in table
Cardinality
rows
Tuple
Row or record
DDE – Dynamic data exchange
Enables applications to work in a client/server model by providing the
inter-process communications mechanism (IPC)
DCL – Data control language
Subset of SQL used to control access to data in a database, using GRANT and REVOKE statements
Semantic integrity
Make sure that the structural and semantic rules are enforced on all data types,
logical values that could adversely affect the structure of the database
Referential integrity
all foreign keys reference existing primary keys,
Candidate Key
An attribute that is a unique identifier within a given table, one of the candidate keys
is chosen to be the primary key and the others are alternate keys, A candidate key is a subset of
attributes that can be used to uniquely identify any record in a table. No two records in the same table
will ever contain the same values for all attributes composing a candidate key. Each table may have one
or more candidate keys, which are chosen from column headings.
Primary Key
Provide the sole tuple-level addressing mechanism within the relational model. Cannot
contain a null value and cannot change or become null during the life of each entity. When the primary
key of one relation is used as an attribute in another relation, it is the foreign key in that relation.
Uniquely identify a record in a database
Foreign Key
Represents a reference to an entry in some other table that is a primary key there. Link
between the foreign and primary keys represents the relationship between the tuples. Enforces
referential integrity
Main Components of a Db using Db
- Schemas; blueprints
- tables
- views
Incorrect Summaries
When one transaction is using an aggregate function to summarize data stored
in a Db while a second transaction is making modifications to a Db, causing summary to include
incorrect information
Dirty Reads
When one transaction reads a value from a Db that was written by another transaction
that did not commit, Db concurrency issue
Lost Updates
When one transaction writes a value to the Db that overwrites a value needed by
transactions that have earlier precedence
Dynamic Lifetime Objects
Objects created on the fly by software in an Object Oriented
Programming environment. An object is preassembled code that is a self-contained module
ODBC
Open Database Connectivity is a database feature that allows applications to communicate
with different types of databases without having to be directly programmed for interaction with each
type. ODBC acts as a proxy.
Database contamination
Mixing data with different classification levels and/ or need-to-know
requirements and is a significant security challenge. Often, administrators will deploy a trusted front
end to add multilevel security to a legacy or insecure DBMS.
Database partitioning -
Is the process of splitting a single database into multiple parts, each with a
unique and distinct security level or type of content
Polyinstantiation
Occurs when two or more rows in the same relational database table appear to have
identical primary key elements but contain different data for use at differing classification levels. It is
often used as a defense against inference attacks
Database transactions
Four required characteristics
atomicity, consistency, isolation, and durability.
Together, these attributes are known as the ACID model, which is a critical concept in the development of database
management systems.
Atomicity
Database transactions must be atomic—that is, they must be an “all-or-nothing” affair. If
any part of the transaction fails, the entire transaction must be rolled back as if it never occurred
Consistency
All transactions must begin operating in an environment that is consistent with all of the
database’s rules (for example, all records have a unique primary key). When the transaction is
complete, the database must again be consistent with the rules, regardless of whether those rules were
violated during the processing of the transaction itself. No other transaction should ever be able to use
any inconsistent data that might be generated during the execution of another transaction.
Isolation
Principle requires that transactions operate separately from each other. If a database
receives two SQL transactions that modify the same data, one transaction must be completed in its
entirety before the other transaction is allowed to modify the same data. This prevents one transaction
from working with invalid data generated as an intermediate step by another transaction.
Durability
Database transactions must be durable. That is, once they are committed to the database,
they must be preserved. Databases ensure durability through the use of backup mechanisms, such as
transaction logs
Expert Systems
Expert systems seek to embody the accumulated knowledge of experts on a
particular subject and apply it in a consistent fashion to future decisions.
Every expert system has two main components: the knowledge base and the inference engine.
Expert Systems Two modes
- Forward chaining: acquires info and comes to a conclusion
* Backward chaining: backtracks to determine IF a hypothesis is correct
Neural Networks
- Use complex computations to replace partial functions of the human mind
- Based on function of biologic neurons
- Works with weighted inputs
- If a threshold is exceeded there will be output
- Single-layer: only one level of summoning codes
- Multi-level: more levels of summoning codes
- Training period needed to determine input vectors - adaptability (learning process)
Encapsulation (Data Hiding)
Only data it needs, no accidental access to data
Message
Communication to object to perform an action
Method
Code that defines an action an object performs in response to a message
Behavior
Results exhibited by an object in response to a msg
Class
Collection of methods that defines the behavior of objects
Instance
Objects are instances of classes that contain their methods
Inheritance
Allows a subclass to access methods belonging to a superclass
Multiple Inheritance
Class inherits characteristics from more than one parent class
Delegation
Forwarding a request to another object
Polymorphism
Objects of many different classes that are related by some common super class. When
different subclasses may have different methods using the same interfaces that respond differently
Poly-instantiation
Occurs when two or more rows in the same relational database table appear to
have identical primary key elements but contain different data for use at differing classification levels.
It is often used as a defense against some types of inference attacks
OORA, Requirements Analysis
Defines classes of objects and their interactions
OOA, Analysis
Understanding and modeling a particular problem Domain Analysis (DA) seeks to
identify classes and objects that are common to all applications in a domain
OOD, Design
Objects are the basic units, and instances of classes
OOP, Programming
Employment of objects and methods
If class = airplane, objects like fighter plane, cargo plane, passenger plane can be created. Method
would be what a plane would do with a message like: climb, dive, and roll.
ORBs, Object Request Brokers
Middleware that acts as locators and distributors of the objects across networks.
CORBA, Common object request
Broker architecture enables programs written in different languages and using different platforms and OS’s through IDL (Interface Definition Language)
COM, Common Object Model
Support exchange of objects amongst programs. This used to be called OLE. DCOM is the network variant (distributed)
Conclusion
Object orientation (e.g. with C++ and Smalltalk) supports reuse of objects and reduces development risk, natural in its representation of real world entities.
Cohesion
Ability to perform without use of other programs, strength of the relationship between the
purposes of methods within the same class
High cohesion
Without use of other modules
Low cohesion
Must interact with other modules
Coupling
Effect on other modules. Level of interaction between objects
High coupling
Module largely affects many more modules. High cohesion | GOOD
Low coupling
It doesn’t affect many other modules Low coupling | GOOD
Abstraction
One of the fundamental principles behind object-oriented programming. It is the “blackbox” doctrine that says that users of an object (or operating system component) don’t necessarily need
to know the details of how the object works; they need to know just the proper syntax for using the
object and the type of data that will be returned as a result
Separation of privilege
Builds on the principle of least privilege. It requires the use of granular
access permissions; that is, different permissions for each type of privileged operation. This allows
designers to assign some processes rights to perform certain supervisory functions without granting
them unrestricted access to the system.
Process isolation
Requires that the operating system provide separate memory spaces for each
process’s instructions and data. It also requires that the operating system enforce those boundaries,
preventing one process from reading or writing data that belongs to another process.
• It prevents unauthorized data access. Process isolation is one of the fundamental requirements
in a multilevel security mode system.
• It protects the integrity of processes
Layering processes
You implement a structure similar to the ring model used for operating modes and apply it to each operating system process.
Hardware segmentation
Is similar to process isolation in purpose. Difference is that hardware
segmentation enforces these requirements through the use of physical hardware controls rather than the
logical process isolation controls imposed by an operating system.
Covert channels
Is a way to receive information in an unauthorized manner, information flood that is not protected by a
security mechanism
2 types
• Storage covert channel - processes communicate via storage space on the system
• Covert timing channel - one process relays to another by modulating its use of system
resources. Typing rhythm of Morse Code is an example
Countermeasures: eal6 systems have less than eal3 systems because covert channels are normally a
flaw in design.
Java
Sandboxes, no warnings, programs are compiled to bytecode
ActiveX
Authenticode, relies on digital signatures, annoying dialogs people click away
Virus
Reproduces using a host application. It inserts or attaches itself to the file, spread thru infected
media
Worm
Reproduces on its own without host application
Logic Bomb/Code Bomb
Executes when a certain event happens (like accessing a bank account or employee being fired) or a data/time occurs
Trojan Horse
Program disguised as a useful program/tool
HOAXES
False warnings like: DON’T OPEN X SEND TO ALL YOUR COLLEAGUES
RAT, Remote Access Trojan
Remote control programs that have the malicious code and allow for
unauthorized remote access Back orifice, sub seven, net bus )
Buffer Overflow
Excessive information provided to a memory buffer without appropriate bounds
checking which can result in an elevation of privilege. If executable code is loaded into the overflow, it
will be run as if it were the program.
Buffer overflows can be detected by disassembling programs and looking at their operations.
Buffer overflows must be corrected by the programmer or by directly patching system memory.
LOKI
Is a tool used for covert channel that writes data directly after the ICMP header
Directory Traversal Attack –
Attacker attempts to force the web application to navigate up the file
hierarchy and retrieve a file that should not normally be provided to a web user.
Hash Collisions
Two different files produce the same result from a hashing operation
Boot sector Virus
Moves or overwrites the boot sector with the virus code.
Companion virus
A specific type of virus where the infected code is stored not in the host program,
but in a separate ‘companion’ files. For example, the virus might rename the standard NOTEPAD.EXE
file to NOTEPAD.EXD and create a new NOTEPAD.EXE containing the virus code. When the user
subsequently runs the Notepad application, the virus will run first and then pass control to the original
program, so the user doesn’t see anything suspicious. Takes advantage of search order of an
Multipart virus
Infects both the boot sector and executable files; becomes resident first in memory
and then infects the boot sector and finally the entire system, uses two or more propagation
mechanisms
Self-garbling virus
attempts to hide by garbling its code; as it spreads, it changes the way its code is
encoded
Polymorphic virus
This is also a self-garbling virus where the virus changes the “garble” pattern
each time is spreads. As a result, it is also difficult to detect
Macro virus
Usually written in Word Basic, Visual Basic or VBScript and used with MS Office
Resident virus
Virus that loads when a program loads in memory
Master boot record/boot sector
(MBR) virus attack the MBR—the portion of bootable media (such
as a hard disk, USB drive, or CD/ DVD) that the computer uses to load the operating system during the
boot process. Because the MBR is extremely small (usually 512 bytes), it can’t contain all the code
required to implement the virus’s propagation and destructive functions. To bypass this space
limitation, MBR viruses store the majority of their code on another portion of the storage media. When
the system reads the infected MBR, the virus instructs it to read and execute the code stored in this
alternate location, thereby loading the entire virus into memory and potentially triggering the delivery
of the virus’s payload.
Signature based Anti-Virus
Cannot detect new malware
Heuristic behavioral Anti-Virus
Can detect new malware
Protection domain
Execution and memory space assigned to each process
TRUSTED COMPUTER BASE
Combination of protection systems within a computer system, which include the hardware, software
and firmware that are trusted to enforce the security policy.
Security Kernel
Hardware, software, firmware, elements of TCB that implement the reference
monitor concept — must be isolated from reference monitor (reference monitor: isolation,
completeness and verifiability, that compares the security labels of subjects and objects)
Multistate systems
Capable of implementing a much higher level of security. These systems are
certified to handle multiple security levels simultaneously by using specialized mechanisms
Protection rings
• Ring 0 - Operating system kernel. The OS’ core. The kernel manages the HW (for example,
processor cycles and memory) and supplies fundamental services that the HW does not provide.
• Ring 1 - Remaining parts of the operating system
• Ring 2 - I/O drivers and utilities
• Ring 3 - Applications and programs
CSRF (XSRF)
Cross site request forgery, attacks exploit the trust that sites have in a user’s browser
by attempting to force the submission of authenticated request to third-party sites.
Cross-site Scripting
Uses reflected input to trick a user’s browser into executing untrusted code from
a trusted site
Session Hijacking
Attempt to steal previously authenticated sessions but do not force the browser to
submit request.
SQL Injection
Directly attacks a database through a web app,, CARROT’1=1; - quotation mark to
escape out of input field
Service Pack
Collection of unrelated patches released in a large collection
Patch management system
Prevents outages from known attacks by ensuring systems are patched.
Patches aren’t available for new attacks. However, the patch management system doesn’t provide the
updates. Ensuring systems are patched reduces vulnerabilities but it does not eliminate them
Threat Modeling
Reduce the number of security-related design and coding flaws, reduce severity of
non-security related files, not to reduce number of threat vectors
Open system
Is one with published APIs that allow third parties to develop products to interact with
it.
Keys
Like passwords and should be treated as very sensitive information. They should always be
stored in secure locations and transmitted only over encrypted communications channels. If someone
gains access to your key, they can interact with a web service as if they were you! Limit access to
Nessus
is a popular vulnerability scanner managed by Tenable Network Security, and it combines
multiple techniques to detect a wide range of vulnerabilities. It uses port scans to detect open ports and
identify the services and protocols that are likely running on these systems.
OWASP
Open Web Application Security Project, most authoritative source on web application
security issues
Shadow Password File
/etc./ shadow. This file contains the true encrypted PWs of each user, but it is
not accessible to anyone but the administrator. The publicly accessible /etc./ passwd file then simply
contains a list of usernames without the data necessary to mount a dictionary attack. “x”
User Mode
Processor mode used to run the system tools used by admins to make configuration
changes to a machine
Kernel Mode
Used by processor to execute instructions from
