slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Application Security PowerPoint Presentation
Download Presentation
Application Security

Loading in 2 Seconds...

play fullscreen
1 / 67

Application Security - PowerPoint PPT Presentation


  • 192 Views
  • Uploaded on

Application Security. CISSP Guide to Security Essentials Chapter 3. Objectives. Types of applications Application models and technologies Application threats and countermeasures Security in the software development life cycle. Objectives (cont.). Application security controls

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Application Security


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Application Security CISSP Guide to Security Essentials Chapter 3

    2. Objectives • Types of applications • Application models and technologies • Application threats and countermeasures • Security in the software development life cycle CISSP Guide to Security Essentials

    3. Objectives (cont.) • Application security controls • Databases and data warehouses CISSP Guide to Security Essentials

    4. Types of Applications • Agents • Standalone programs that are part of a larger application • Examples: • Anti-virus • Patch management • Configuration management CISSP Guide to Security Essentials

    5. Types of Applications (cont.) • Applets • Software programs that run within the context of another program • Example: media players within browser CISSP Guide to Security Essentials

    6. Types of Applications (cont.) • Client-server • Separate programs on clients and servers communicate via networks and work together • Few developed now but many are in use CISSP Guide to Security Essentials

    7. Types of Applications (cont.) • Distributed • Software components run on several systems • Two-tier, three-tier, multi-tier • Reasons: scalability, performance, geographical CISSP Guide to Security Essentials

    8. Types of Applications (cont.) • Web • Web browser as client, application server back-end • Client software nearly universal • Application software centralized CISSP Guide to Security Essentials

    9. Application Models and Technologies • Control flow languages • Structured languages • Object oriented languages • Knowledge based languages CISSP Guide to Security Essentials

    10. Control Flow Languages • Linear, sequential • Use of “if – then – else” • Branching with “go to” • Examples: • BASIC, COBOL, Cold Fusion, FORTRAN, Perl, PHP, Python, VBScript CISSP Guide to Security Essentials

    11. Structured Languages • Nested, heavy use of subroutines and functions • Little or no “go to” • Examples: • C • Pascal CISSP Guide to Security Essentials

    12. Object Oriented Languages • Utilize concepts of object programming • Classes, objects, instances, and inheritance • Methods, instantiations • Encapsulation, abstraction, polymorphism • Examples • C++, Java, Ruby, Simula, Smalltalk CISSP Guide to Security Essentials

    13. Knowledge Based Applications • Neural networks • Modeled after biological reasoning processes • Artificial neurons that store pieces of information • Given cases about situations and outcomes, can predict future outcomes CISSP Guide to Security Essentials

    14. Knowledge Based Applications (cont.) • Expert systems • Inference engine and knowledge base of past situations and outcomes CISSP Guide to Security Essentials

    15. Threats to Applications • Reasons for attacks • Industrial espionage • Vandalism and disruption • Denial of service • Political / religious CISSP Guide to Security Essentials

    16. Threats to Applications (cont.) • Buffer overflow attacks • Disrupt a software application by providing more data to the application than it was designed to handle CISSP Guide to Security Essentials

    17. Threats to Applications (cont.) • Buffer overflow attacks (cont.) • Types • Stack buffer overflow • NOP sled attack • Heap overflow • Jump to register attack CISSP Guide to Security Essentials

    18. In Java • Instance variables and Objects lie on Heap. • Local variables and methods lie on the Stack. So if we have a main method which calls the go() method which calls the gone() method then the stack from top to bottom would consist of CISSP Guide to Security Essentials

    19. gone() • go() • main() CISSP Guide to Security Essentials

    20. CISSP Guide to Security Essentials

    21. Threats to Applications (cont.) • Examples: Morris worm, ping of death, code red worm • Buffer overflow attack countermeasures • Use safe languages and libraries • Executable space protection • Stack smashing protection • Application firewalls CISSP Guide to Security Essentials

    22. Threats to Applications (cont.) • Covert channel • Unintended and hidden channel of communications • Types: • Covert storage channel: read a storage location and learn about the application or other data CISSP Guide to Security Essentials

    23. Threats to Applications (cont.) • Covert channel types (cont.) • Timing channel: observe timings in an application to determine what is happening in the application • Countermeasures • Careful software analysis, good software engineering • Newer versions of firewall CISSP Guide to Security Essentials

    24. Threats to Applications (cont.) • Side channel attack • An attack on a cryptosystem based upon physical information gained from the system • Examples: timing, power consumption, emanations, and even sounds CISSP Guide to Security Essentials

    25. Threats to Applications (cont.) • Countermeasures • Limit release of information through shielding and other means CISSP Guide to Security Essentials

    26. Threats to Applications (cont.) • Malicious software • Types: viruses, worms, Trojan horses, rootkits, bots, spam, pharming, spyware, key loggers • Purpose • Steal, corrupt, or destroy information • Remote control • Denial of service CISSP Guide to Security Essentials

    27. Threats to Applications (cont.) • Types of malware • Virus: human assisted replication, embed in programs, files, master boot records • Worm: self replicating, scan for victims, rapid spread • Trojan horse: claims one function, but is malware CISSP Guide to Security Essentials

    28. Threats to Applications (cont.) • Types of malware (cont.) • Rootkit: hide within or beneath the operating system • Bot: remote control zombie • Spam: unsolicited e-mail CISSP Guide to Security Essentials

    29. Threats to Applications (cont.) • Types of malware (cont.) • Pharming: attack on DNS to redirect traffic to decoy application • Spyware: collect information about usage, forward to central server • Key logger: logs keystrokes and mouse movements, forwards to central server CISSP Guide to Security Essentials

    30. Threats to Applications (cont.) • Malware countermeasures • Anti-malware • Patches • Firewalls and application firewalls • Hardened systems CISSP Guide to Security Essentials

    31. Threats to Applications (cont.) • Malware countermeasures (cont.) • Intrusion detection systems • Decreased privilege levels • Penetration testing CISSP Guide to Security Essentials

    32. Threats to Applications (cont.) • Input attacks • Buffer overflow • Script injection • Cross site scripting • Cross site request forgery CISSP Guide to Security Essentials

    33. Threats to Applications (cont.) • Countermeasures • Input field filtering, application firewall, application vulnerability scanning, software developer training CISSP Guide to Security Essentials

    34. Threats to Applications (cont.) • Object reuse • Use of a resource belonging to another process, including: • Memory, databases, file systems, temporary files, and paging space CISSP Guide to Security Essentials

    35. Threats to Applications (cont.) • Object reuse countermeasures • Application isolation • Server virtualization • Developer training CISSP Guide to Security Essentials

    36. Threats to Applications (cont.) • Mobile code • Executable code, active content, downloadable content • Examples: active website content, downloaded programs • Some is desired, but some is malicious in nature CISSP Guide to Security Essentials

    37. Threats to Applications (cont.) • Mobile code countermeasures • Anti-malware, mobile code access controls • Reduced user privileges CISSP Guide to Security Essentials

    38. Threats to Applications (cont.) • Social engineering • Attack on personnel to gain secrets • People are vulnerable because they want to help • Social engineering countermeasures • Security awareness training that includes accountability CISSP Guide to Security Essentials

    39. Threats to Applications (cont.) • Time of check / time of use (TOCTOU) • Also known as a “race condition” • Defect in resource allocation and management controls • Possible exploitation to cause harm or steal data CISSP Guide to Security Essentials

    40. Threats to Applications (cont.) • TOCTOU countermeasures • Reviews of resource allocation controls • Improve privacy of communications CISSP Guide to Security Essentials

    41. Threats to Applications (cont.) • Back door / maintenance hook • Access holes deliberately planted by a developer • To facilitate easier testing during development • To facilitate production access • To facilitate a break-in CISSP Guide to Security Essentials

    42. Threats to Applications (cont.) • Back door countermeasures • Code reviews • Source code control CISSP Guide to Security Essentials

    43. Threats to Applications (cont.) • Logic bombs • Deliberate malfunction that causes harm • Time bombs • Malfunction on a given date and time • Event bombs • Malfunction on a specific event CISSP Guide to Security Essentials

    44. Threats to Applications (cont.) • Logic bomb countermeasures • Software source code review, external audits CISSP Guide to Security Essentials

    45. Security in the Software Development Life Cycle (SDLC) • SDLC • The entire collection of processes used to design, develop, test, implement, and maintain software CISSP Guide to Security Essentials

    46. Security in the Software Development Life Cycle (cont.) • Security must be included in each step of the SDLC • Conceptual • Requirements and specifications development • Application design, coding, and testing CISSP Guide to Security Essentials

    47. Security in the Software Development Life Cycle (cont.) • Security in the conceptual stage • Presence of sensitive information must be identified • Access controls (users, administrators, third parties) • Regulatory conditions • Security dependencies CISSP Guide to Security Essentials

    48. Security in the Software Development Life Cycle (cont.) • Security application requirements and specifications • Functional requirements • Standards • Security requirements • Roles, access controls, audit logging, configuration management CISSP Guide to Security Essentials

    49. Security in the Software Development Life Cycle (cont.) • Requirements and specifications (cont.) • Regulatory requirements • Test plan a byproduct of requirements CISSP Guide to Security Essentials

    50. Security in the Software Development Life Cycle (cont.) • Security in application design • Adhere to all requirements and specifications • Published design documents • Design reviews • Reviewed by all stakeholders including security CISSP Guide to Security Essentials