Domain 8, Understanding, applying, enforcing software security Flashcards
XP, Extreme programming
XP utilizes a concept known as pair programming, which pairs developers. Uses refactoring code - a way of removing obsolete, redundant, or unneeded code to improve software’s functionality
Has five core practices
Object
black box that combines code and data, sends and receives messages.
Object-oriented protramming
Treats a program as a series of connected objects.
Procedural languages
use subroutines, procedures, and functions
Spiral Model
Software dev model designed to control risk. Based off of the Waterfall model, with improvements.
Systems development life cycle, SDLC
A dev model that focuses on security in every phase
Waterfall model
An application dev model that uses rigid phases, when one ends, the next begins. No going back a step once one ends.
M
SEI Capability maturity model
Software maturity model. Goal to develop a methodical framework for creating quality software which allows measurable and repeatable results.
Machine code
1s and 0s, machine/cpu dependent
Source Code
Computer programming language which is written in text and must be translated to the machine code
Assembler
Converts assembly language into machine language
Complier
Converts an entire program into machine code. Produces an entire program written in machine code.
Interpreters
Converts code into machine code line by line. Simply feeds commands line by line from source code to interpreted machine language.
First gen language
machine code
2nd gen language
Assembly
3rd gen language
COBOL, C, Basic
Fourth gen language
ColdFusion, Progress 4GL, Oracle Reports
CASE
Computer Aided Software Engineering. Uses computers to assist in the creation and maintenance of other computer programs
Computer Aided Software Engineering - Tools
Supports only specific tasks in the software production process
Workbenches
Support one or a few software process activities by integrating several tools in a single application
Environments
(Integrated Development Environment) Support all or at least part of the software production process with a collection of tools and workbenches
free software gratis - AKA Freeware
software that is free of charge
Free software libre
free to alter the program
shareware
free for X amount of days
crippleware
pay to enable locked features
crippleware
pay to enable locked features
Prototyping
Iteerative aproach to
Prototyping
Iteerative aproach to
NIST SP 800-14
NIST process for systems development life cycle
- operation and maintenance
- secure disposal/decomissioning
NIST SP 800-14
NIST process for systems development life cycle
- operation and maintenance
- secure disposal/decomissioning
Code repository Security Controls
Largely falls under the other corporate security controls discussed previously. Defense in depth, secure authentication, firewalls, version control, etc.
Software Change MGMT
Broader than Software Config Mgmt. Tracks changes across an entire software dev program as it is developed, maintained, and eventually retired
Software Config managment
Narrower than Software Change Mgmt.
Tracks changes to specific software
NIST 80-128
Guide for security focused config mgmt.
NIST 80-128
Guide for security focused config mgmt.
Config congrol board, CCB
Group of qualified people responsible for controlling and approving changes
Config item identification
methodology for selecting and naming config items that need to be placed under CM.
Config change control
PRocess fo rmanging updates to the baseline config
Config monitoring
process for assessing or testing the level of compliance.
DevOps
Traditionally there was separation of duties between devs, QA teams, and production teams.
DevOps flips this around, having Operations and development engineers work together in entire service lifecycle.
Object oriented Design
treats projects as a series of connected objects that communicate to each other.
Cornerstone OOP Concept - Inheritance
way to reuse code of existing projects, establish a subtype from an existing project.
Cornerstone OOP Concept - Delegation
one object relying on another to provide a set of functionalities
Cornerstone OOP Concept - Polymorphism
ability to create a variable/function/object that has more than one form
Cornerstone OOP Concept - Polyinstantiation
Two instances with the same name that contains different data.
i.e. two different accounts may have a variable of the name, “account number” but the values would be different.
Coupling and Cohesion
highly coupled object- requires other objects to do anything.
Highly coherent object - can run independently
object request broker
used to locate objects. Act as search engines.
COM, DCOM, and CORBA
CORBA
common object request broker architecture.
OOA and OOD
Object oriented analysis and design. Very high level conceptual visualization of how a project or program should work.
Software Vulnerabilities: Hard Coded Creds
backdoor user/pass leftover from production. AKA Maintenance hook.
SQL injection
manipulation of back end server via front end web server
Software Vulnerability: Directory Path Traversal
escaping from the root of a web server by referencing other directories.
Full disclosure
If you find a vulnerability, you need to disclose. Full disclosure goes public.
Responsible disclosure
privately share with vendor.
Relational Database model
two-dimentional, table is called a relation.
Tables have rows and columns. Row = tuple, column = attribute, cell = value
Primary Key
relational DB value that represents each tuple.
Primary Key
relational DB value that represents each tuple.
Foreign key
Relational DB. Key in a related DB that matches the primary key in a parent DB.
Referential integrity
every foreign key in secondary tables matches a primary key.
Semantic Integrity
Each attribute (column) value is consitent with attribute data type.
i.e. you wouldn’t put someones name as a value in the attribute for social security number.
Entity Integrity
each tuple has a unique primary key that is not null.
DB Normalization
seeks to make data in DB logically concise organized, and consistent. Removes redundant data.
DB Normalization rules
- first form, divide data into tables
- second normal form, move data that is partially dependent on primary key to another table.
- third normal form, remove data that is not dependent on primary key.
Database Views
tables may be queried. results are called a DB view. Can be used to provide a constrained user interface.
Data Dictionary
contains description of DB tables. Called metadata.
DB Query languages
Most popular is SQL. MySQL, postGRE SQL, PL/SQL, etc.
DB Language commands
DDL, data definition language.
DML, data manipulation language.
Hierarchical DB
DNS is a good example
Object Oriented Database
object oriented DB. Combines data with function/code. Used to manipulate the objects and their data.
Assembly Language
Low-level computer language. Instructions are shor mnemonics, like ADD, SUB, and JMP. These directly match to machine code instructions.
Closed-source software
Released only in executable form, source code is kept confidential.
Open Source software
publishes source code openly. i.e Linux, Apache web server.
Agile Software Development
Much more flexible way of software dev. Has 4 values, and 12 principles:
- Individuals and interactions over processes and tools
- Working software over comprehensive documentation
- Customer collaboration over contract negotiation.
- Responding to change over following a plan.
Scrum
Type of Agile development that takes a ‘holistic’ approach. A team tries to go the distance as a unit, rather than handing the project off in stages.
Contains a Scrum Team, and a Scrum Master, and a Product owner on the business side.
Test-Driven Development
Type of Agile development. TDD, as the name implies, is driven by the use of test cases: first a test is written, then it is run. If it fails, code is written or refactored as needed to make the test succeed
Key Scrum
Type of Agile Development
Integrated Product Team (IPT)
An integrated product team (IPT) is a multitalented group of people from different disciplines responsible for delivering a product. IPTs are formed to plan, execute, and implement life cycle decisions for the system being acquired.
Software Escrow
Third party stores an archive of the software. Usually negotiated as part of a contract with a proprietary software vendor.
Vendor wants it kept secret, but client may be afraid vendor goes out of business and may need access to source code.
API Security
Application programming interface:
Authentication Access Control Input Validation Output encoding/escaping Cryptography Error Handling and logging Comms Security HTTP Security Security Configuration
RAD - Rapid Application Development
Quickly develops software via use of prototypes/dummies. Goal is to quickly meet a business need of the system, while technical concerns are secondary.
SDLC - Systems development life cycle
System development model. USed across IT industry, but focuses on security
OWASP API Controls
Authentication Access Control Input Validation Output Encoding Cryptography Error Handling/logging Communication security HTTP Security Security Configuration
Database administrator
manages database
DBMS
Database Management System
Relational Database
most common type of database.
Has Rows and Columns
Row is called a Tuple
Column is called an Attribute
Primary Key
Each tuple has a primary key that is unique to that row.
Candidate Key
Any attribute within a row (tuple) that is unique.
Foreign Key
key in a related DB table that matches a primary key in a parent DB table.
This key is referred as ‘foreign’ from the parent DB’s point of view, but still called ‘primary key’ from the child DB’s point of view.
Database Journal
log of all DB transactions. If a DB becomes corrupted, the journal can be used to revert to the most recent working version of the database.
Database Shadowing
One-way mirror. clients cannot access the Shadow DB.
Database Replication
mirrors a live DB, allowing simultaneous reads and writes to multiple replicated DBs. A Two-phase commit can be used to ensure integrity.
Data Warehousing
large scale storage of data.
Data mining
way to automate/program analysis of large quantities of data, which no human could hope to analyze on their own.
Object Request Broker
Used to locate objects. Essentially a search engine.
This is a type of middleware, which connects programs to other programs.
Examples of ORBs (Object Request Brokers)
CORBA (commom ORB architecture)
DCOM (Distributed Component Object Model)
COM (Component Object Model
Software Vulnerabilities: Buffer Overflow
Occurs when a programmer does not perform variable bounds checking. Can be used to insert and run shell code.
Software Vulnerabilities: SQL Injection
manipulation of back-end SQL server via a front-end web server. .
Software Vunlerabiltiy: PHP Remote File Inclusion
altering URL to include a malicious remote file/URL for execution.
Software Vulnerabilities: TOC/TOU race condition
Time of check/time of use attack. AKA Race condition. An attacker attempts to alter a condition after it’s already been checked by the OS, but before it’s used. Type of State Attack.
Software Vulnerabilities: Cross-site Scripting XSS
Third-party execution of web scripting languages, within the context of a trusted site.
Exploits trust the website may have with third-party code.
Can be prevented with proper input validation.
Software Vulnerabilities: Cross-site request Forgery XSRF/CSRF
Exploits the trust a user has in a website to execute code on that users computer, or to redirect them to another site
Within the context of a trusted site, exploits trust a user has with that site.
Software Vulnerabilities: Privilege Escalation
Allows an attacker with typically limited access to gain access to additional resources.
Software Vulnerabilities: Backdoor
Undocumented command sequences that allow individuals with knowledge of the backdoor to bypass normal access restrictions.
Software Vulnerabilities: Rootkits
Exploit known vulnerabilities in OS’s. Rootkit is used to expand access to the compromised system.
Software Capability Maturity Model (CMM)
created by Carnegie Mellon Software Engineering Institute.
A methodical framework for creating quality software that allows measurable, and repeatable results.
Has 5 Levels. Now superceeded by SAMM (Software Assurance Maturity Model)
SAMM Software Assurance Maturity Model
Maintained by OWASP.
Provides a framework for integrating security activities into a software development and maintenance process.
Has 5 business functions.
OWASP
Open Web Application Security Project
Acceptance Testing
users verify that the code meets their requirements and formally accept it as ready to move into production use
security kernel
a small separate subsystem with the security-critical components.
It must provide isolation for the processes carrying out the reference monitor concept, and the processes must be tamperproof.
It must be invoked for every access attempt and must be impossible to circumvent. Thus, the security kernel must be implemented in a complete and foolproof way.
It must be small enough to be able to be tested and verified in a complete and comprehensive manner.
Input validation: Range Check
verify input data against predetermined upper and lower limits
Input validation: Relationship check
checks compare input data to data on a master record file
Input validation: Reasonableness check
checks compare input data to an expected standard
Input validation: Transaction limits check
check input data against administratively set ceilings on specified transactions.
ACID (relational Databases transactions)
Atomicity
Consistency
Isolation
Durability.
Atomicity (Database)
Atomicity requires that each transaction is “all or nothing”: if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged
Consistency (Database)
ensures that any transaction will bring the database from one valid state to another.
Isolation (Database)
The isolation principle requires that transactions operate separately from each other
Durability (Database)
The isolation principle requires that transactions operate separately from each other
Salami Attack
systematic whittling at assets in accounts or other records with financial value, where very small amounts are deducted from balances regularly and routinely
