1 / 75

Software Development Security

Software Development Security. Domain Objectives. Understand software-based security controls Understand the software development and change/maintenance processes Specialized security controls for database and Web applications Describe malicious software Controls for detection of malware

anitae
Download Presentation

Software Development Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Development Security

  2. Domain Objectives • Understand software-based security controls • Understand the software development and change/maintenance processes • Specialized security controls for database and Web applications • Describe malicious software • Controls for detection of malware • Define software engineering principles

  3. Availability Information Security Confidentiality Integrity Information Security TRIAD

  4. Domain Agenda • Programming Concepts • Threats and Malware • Software Protection • Audit and Assurance Mechanisms • Database and Data Warehousing Environment • Web Application Environment

  5. Application vs. Operating System • Project Management Controls • Complexity of Systems and Projects • Controls Built into Software

  6. Generations of Programming Languages • Generation One - Machine language • Generation Two - Assembly language • Generation Three - High-level language • Generation Four - Very high-level language • Generation Five - Natural language

  7. Programming Languages • COBOL, Fortran • C, C-Plus, C++ • Smalltalk, Java, Eiffel • Visual Programming Languages • Visual Basic, Visual C, Delphi • BASIC, Logo, JavaScript

  8. HTML, XML, and Active X • HTML • XML • Active X

  9. Program Utilities • Assembler • Compiler • Interpreter

  10. Programming Concepts • System Model • Von Neumann Architecture • Object-Oriented Programming (OOP) • Inheritance • Polymorphism • Polyinstantiation

  11. Programming Concepts • Distributed Component Object Model (DCOM) • Common Object Request Broker Architecture (CORBA)

  12. Domain Agenda • Programming Concepts • Threats and Malware • Software Protection • Audit and Assurance Mechanisms • Database and Data Warehousing Environment • Web Application Environment

  13. Threats and Malware • Buffer Overflow • Denial of Service • Time of Check/Time of Use (TOC/TOU)

  14. Threats and Malware • Malformed Input Attacks • SQL Injection • Unicode Attack • Executable Content/Mobile Code • Web Applets • Dynamic Email

  15. Threats and Malware • Object Reuse • Garbage Collection • Trap Door

  16. Threats and Malware • Incomplete Parameter Check and Enforcement • Covert Channels • Inadequate Granularity of Controls • Social Engineering • Multiple Paths to Information

  17. Threats and Malware • Malicious Software • Modern malware is network aware • Compatibility - Platform Dominance • Malware Functionality

  18. Virus • Central characteristic is reproduction • Generally requires some action by the user • May or may not carry payloads

  19. Multipartite Macro Virus Script Virus Hoax File Infector Boot Sector Infector System Infector Email Virus Virus Types

  20. Virus Anti-Detection • Stealth • Tunnelling • Polymorphism • Antivirus (anti-malware) Disabling

  21. Virus Structure • Infection / Reproduction • Target Search • Infection • Avoidance • Trigger • Payload

  22. Worm • Reproduces • Generally use loopholes in systems • May not involve user • Often attacks server software

  23. Trojan Horse • Purported to be a positive utility • Hidden negative payload • Social Engineering

  24. Logic Bomb • Generally implanted by an insider • Waits for condition or time • Triggers negative payload

  25. Diddlers, Backdoors, and Rats • Data Diddler • Backdoor, Trapdoor • RAT (Remote Access Trojan)

  26. Threats and Malware • DDOS Zombie • Prank • Spyware and Adware • Phishing • BotNets

  27. Domain Agenda • Programming Concepts • Threats and Malware • Software Protection • Audit and Assurance Mechanisms • Database and Data Warehousing Environment • Web Application Environment

  28. System Life Cycle • Project Management-based Methodology • Typical Phases of a System Life Cycle

  29. System Life Cycle • Project Initiation and Planning Establish User Requirements Identify Alternatives Select/Approve Approach Determine Security Requirements Conduct Risk Analysis Define Security Strategy Required Security Activities

  30. System Life Cycle • Functional Design Definition Develop Project Plan Identify Functional Requirements Set Test Criteria Define Strategy Develop Functional Baseline Include Security Requirements in RFPs, Contracts Include Functional Security Requirements Identify Security Areas Establish Security Requirements Security Tests Required Security Activities Prepare Risk Analysis and Contingency Plan

  31. System Life Cycle • Detailed Design Specifications Prepare Detailed Designs Update Testing Goals & Plans Develop Formal Baseline Document Security Baseline Establish Security Specifications Update Security Test Plans Required Security Activities

  32. System Life Cycle • Develop and Document Develop System Unit Testing & Evaluation Document System Security Code Evaluation Document Security Code Develop Security Code Required Security Activities

  33. System Life Cycle • Acceptance, Testing and Transition to Production System Components System Performance Project Manuals Acceptance Test Integrated System System Test Validate Implement Document Certify Accept Security in Integrated System Security Components Security Code Security Controls Secure Operations Secure System Required Security Activities

  34. System Life Cycle • Decommissioning / Disposal • Critical data recovered or destroyed • Media sanitized or destroyed • Software removal

  35. Software Development Methods • Waterfall • Spiral • Clean-room • Structured Programming Development

  36. Software Development Methods • Iterative Development • Joint Analysis Development (JAD) • Prototyping • Modified Prototype Model (MPM) • Exploratory Model • Rapid Application Development (RAD)

  37. Software Development Methods • Reuse Model • Computer Aided Software Engineering (CASE) • Component Based Development • Extreme Programming

  38. Cryptography Access Controls Open source Social Engineering Awareness Backup and Redundancy Controls Malicious Code Control Documentation and Common Program Testing and Evaluation Mobile Code Controls Data Contamination Controls Additional Software Protection Mechanisms

  39. Domain Agenda • Programming Concepts • Threats and Malware • Software Protection • Audit and Assurance Mechanisms • Database and Data Warehousing Environment • Web Application Environment

  40. Auditing and Assurance Mechanisms • Information Integrity • Information Auditing • Malware Assurance

  41. Change Management Process Analyze Request for feasibility, impact, timeline (security) Formal Request for Change Develop Implementation Strategy Approval of Change Implement and test the Change Develop the Change Review Change Effectiveness Report to Management

  42. Testing • Last chance to avoid a disaster • Testing is intended to find the problems • Tests should address all normal and ‘unexpected’ entries and conditions • Do not compromise privacy with test data

  43. Configuration Management • Configuration Management • Patch Management • Patch Management Process

  44. Patch Management • Potential problem areas : • Distribution System Failures • Patch Failures • Inadequate Testing & Validation • Patch Rollback • Load on the network • Stability issues and other regression issues

  45. Domain Agenda • Programming Concepts • Threats and Malware • Software Protection • Audit and Assurance Mechanisms • Database and Data Warehousing Environment • Web Application Environment

  46. Database Environment • Database Management Systems • Databases - Developed to manage information from many sources in one location • Eliminates duplication of information • Preserves storage space • Prevents inconsistency in data by making changes in one central location

  47. Database Environment • Major Elements • DBMS should provide • Transaction Persistence • Fault Tolerance and Recovery • Sharing by Multiple Users • Security Controls

  48. DBMS Models • Hierarchical DBMS • Stores records in a single table • Parent/child relationships • Limited to a single tree • Difficult to link branches Car Honda Toyota Mazda CRV Accord Civic 4-door 2-door

  49. DBMS Models • Network DBMS • Represents data as network of records and sets that are related to each other, forming a network of links • Record types - records of the same type • Set types - relationship between record types

  50. DBMS Models Ford Mazda BMW Regular Mazda 3 Truck E Series Regular Mazda 6 4 x 4 X3 Truck Freestar 4 x 4 X5 5 Speed Transmission Leather Interior Front and Rear Climate Controls

More Related