Application Security Fundamentals

8/6/2019 Application Security Fundamentals

1/61

Print

Application Security Fundamentals

Table of Contents:Course Overview and Objectives

IntroductionIntroductionWhat is security?What is software security?Cost of Security Defects

Threat TerminologyModule Summary

Challenge Security Misconceptions

Challenge Security MisconceptionsThe Changing Attack ProfileFunctional Testing versus Security TestingSecurity BugsAll Software Has BugsPatches Do Not Guarantee SecurityInternal ThreatsModule Summary

OWASPOWASPIntroduction to OWASP

Cross-site Scripting (XSS)Key Concepts of Cross-site scripting (XSS)Impact of XSSIdentifying XSS FlawsPreventing XSS Flaws

SQL InjectionKey Concepts of SQL InjectionPreventing SQL Injection

Insecure Direct Object ReferenceKey Concepts of Insecure Direct Object ReferenceDirectory TraversalsAddressing Directory Traversal Issues

Cross-Site Request Forgery (CSRF)Key Concepts of Cross-Site Request Forgery (CSRF)Executing CSRF AttacksPreventing CSRF

Malicious File ExecutionMalwareMalicious File Execution

Information Leakage and Improper Error HandlingInformation Leakage and Improper Error Handling

Page 1 of 61Application Security Fundamentals

2/8/2010https://elearning.securityinnovation.com/veracode/file.php/35/moddata/scorm/187/CourseFi...


2/61

Preventing Information Leakage and Improper Error Handling

Broken Authentication and Session ManagementSession HijackingPreventing Session HijackingExample of Session Fixation

Poorly Implemented Cryptography

Insecure CommunicationSecure Sockets Layer and Transport Layer Security (SSL and TLS)Internet Protocol Security (IPSec)

Failure to Restrict URL AccessModule Summary

Security PrinciplesSecurity PrinciplesStructural SecurityPrinciple of Least PrivilegeTest EverythingModule Summary

Security Goals and ControlsSecurity Goals and Controls

AuthenticationAuthentication

Authentication ConsiderationsAuthorization

Authorization ConsiderationsAuthorization Considerations

Module Summary

Security in the SDLCSecurity in the SDLCEstablishing Security Requirements

Categorizing ThreatsPrioritizing Threat MitigationDeveloping Secure CodeOverview of Security TestingTesting for Specific Types of VulnerabilitiesLeveraging Security Testing ToolsStop and Think!Module Summary




3/61

Course Overview and Objectives

Just like functionality, performance, and reliability, security is anothercrucial component of an applications quality. Recognizing the risk thatsoftware vulnerabilities represent, understanding their root causes, andaddressing these issues early in the software development lifecycle areessential for being able to help your organization build secure software.

Course Prerequisites

This course requires that you meet the following prerequisites:

Programming knowledge and experience.Course ObjectivesUpon completion of this course, you will be able to:

Understand the attacker mindset and what is at risk.Recognize the importance of managing software security risk and theconsequences of failing to do so.

Challenge security misconceptions. Understand common security vulnerabilities and their mitigations.Understand security principles.Understand key security goals and controls.Understand how security fits into the software development life cycle(SDLC).

Narration:Just like functionality, performance, or reliability, security is another crucial component of anapplications quality. But what does software security mean? And why should you care about it?

Recognizing the risk that software vulnerabilities represent and understanding their root causes isessential to enable you to help your organization build secure software. This course will teach youthe activities that an organization needs to undertake to ensure that the software it develops canwithstand malicious attacks.

This course assumes that you possess basic computer skills and a basic knowledge of the softwaredevelopment process.

By the end of this course, you will be familiar with the main characteristics of a secure softwaredevelopment lifecycle and the activities that your organization should perform to develop securesoftware. Furthermore, you will recognize the need to address software security in your everydaywork.

Introduction

Introduction




4/61

Module OverviewThis module will help you understand the importance of designingand maintaining software security throughout the softwaredevelopment lifecycle. You will learn the fundamentals of securesoftware design, how to align security decisions with corporatepolicies and strategies, and how software security failures can leadto meaningful business risks.

Module ObjectivesAfter completing this module you will be able to:

Understand the importance of software security.Understand the cost of security defects.Understand threat and risk management terminology.Distinguish between types of attackers and their motivations.

Narration:This module will help you understand the importance of designing and maintaining softwaresecurity throughout the software development lifecycle. You will learn the fundamentals ofsecure software design, how to align security decisions with corporate policies and strategies,and how software security failures can lead to meaningful business risks. The module definesthreat terminology and helps you understand how threats are evaluated using threat modelingtechniques. Also demonstrated are guidelines on identifying attacks and understanding theattackers motivations. Finally, the module explains why a consistent assessmentmethodology is required to ensure secure software implementations.

What is security?

Narration:Information security seeks to protect the confidentiality, integrity, and availability ofprotected information and systems. These three principles of information security are calledthe CIA triad. Confidentiality means that private or proprietary information is protected from

unauthorized disclosure.

Integrity refers to the need to protect information from being modified or deleted byunauthorized users.

Maintaining availability of protected systems ensures that information and business functionswill be reliably accessible.

What is software security?




5/61

Software security is the design and implementation of application functionality intended to ensurethe confidentiality, integrity, and availability of protected information and systems.

Software security must align with:

ConfidentialityIntegrity

Software security is not the same as network security. Network security focuses on restrictingcommunication paths between systems. Software security focuses on the run-time logic withinapplications and the processing of data passed inside of an allowed communication path.

Narration:Software security is the design and implementation of application functionality intended toensure the confidentiality, integrity, and availability of protected information and systems.

Software security is just one component of the larger effort of developing robust, reliable

code. Insecure code is often also unstable, unreliable code, although this is not always true.Many people confuse software security with network security. Network security primarilyfocuses on the protection of an organizations servers and computer infrastructure with thehelp of firewalls and intrusion-detection techniques. These mechanisms control the flow ofdata between networked systems.

On the other hand, software security focuses on protecting information and resources madeaccessible by applications and programs running on computer systems.

A good software security policy can trace its roots to larger corporate risk-managementpolicies. Software security is most effective when developed with the framework of an overallsecurity and risk-management strategy adopted by your organization.

Cost of Security Defects




6/61

The cost of removing a security vulnerability increases exponentially as one progresses along the

software development lifecycle. Industry studies have shown that the total cost of removing asecurity vulnerability during testing is less than 2 percent of the cost of removing it afterdeployment. Removing a defect even earlier, during design, is far cheaper than removing it during

testing.

Narration:The longer it takes to find a security bug, the more money is spent fixing it. Imagine that asecurity bug is found in a piece of popular desktop software; it would be expensive to fix.There is the immediate damage to the reputation of the software vendor and customers couldincur losses as a result of active exploitation. The vendor must make a patch, warn all theircustomers, and provide them with the patch. The patch must be tested and deployed. If youare interested in reducing your total cost of securing your application, make it a point todiscover security vulnerabilities as quickly as possible in your application. Do not wait untilyour customer discovers a vulnerability, or falls victim to a security breach, before you fix it.

Threat Terminology




7/61

Module Summary




8/61

Understand theimportance ofsoftware security

Understand the importance of software security

Security is defined as protecting information and systems fromunauthorized access, use, disclosure, disruption, modification, or

destruction. Confidentiality, integrity, and availability are the threemain components of information security and they form the CIA triad.

Software security means ensuring proper functioning of the softwareor an application running on an organizations network even after anunauthorized, malicious attack takes place.

It is critical for every organization to understand the risks a securityfailure can cause and implement effective risk-managementtechniques in order to reduce the likelihood of a costly incident.

You may click each objective above in order to learn more.

Click here to go over this section again.

Understand thecost of securitydefects

Understand the cost of security defects

Organizations need to assess the software they develop at variousstages of the software development life cycle. The cost of findingbugs in the initial stage is much less compared to finding bugs at later

stages.



Understand threatand riskmanagementterminology

Understand threat and risk management terminology

To get a deeper insight of software security, you need to be well-

versed with various terms associated with threats and security. Threatscan be categorized based on the goals and purposes of the attacks. Byanalyzing risks, you can determine the probability of the occurrenceof a problem. It also helps you to identify the impact of a problem if itwere to occur.






9/61

Distinguishbetween types ofattackers andtheir motivations

Distinguish between types of attackers and their motivations

In order to conduct proper threat modeling and design appropriatedefenses, it is important to understand the different types of attackers,

recognize their motives, and appreciate their skill sets. Not allsoftware requires the same level of security, so accurate asset

identification and threat modeling is essential to a well-designed riskmanagement plan.






10/61



Module OverviewThis module highlights common misconceptions around application

security. We will explain each of these misconceptions, explainingthe risks these misunderstandings can pose as well as steps you cantake to avoid these common pitfalls.


Describe common security misconceptions.Explain how to avoid common security misconceptions.

Narration:This module highlights common misconceptions around application security. We will explaineach of these misconceptions, explaining the risks these misunderstandings can pose as well

as steps you can take to avoid these common pitfalls.

The Changing Attack Profile

Most people tend to think of security as a network problem. Their answer is to protect theboundary of a system using firewalls and antivirus software.

The truth is that security is a software problem and network insecurities usually result from flawsin applications running on the system or poor configurations.

It is estimated that over 70 percent of attacks against a companys network are at the Application

Layer, not at the system or network layer.




11/61

Narration:Most people tend to think of security as a network problem and the common answer tosecurity questions is to protect the boundary of a system with firewalls and Antivirussoftware. However, in reality, security is a software problem. Most insecurities, includingnetwork insecurities, result from flaws in applications running on the system or because ofpoor configurations.

According to Gartner, over 70 percent of attacks on a companys network are at theApplication Layer, not at the system or network layer.

Network security does little to protect sites from an application-layer attack. For example, aproperly constructed and encrypted SSL Web request bypasses the firewall and is completelyunseen by a Network Intrusion Detection System. With that said, if attackers gain accessthrough the application layer, they can bypass most of the intrusion detection, hide behindSSL, and enter an application database directly. Therefore, the general hack method is thatan attacker will attempt to penetrate the layer thats appropriate for the asset theyre tryingto hack.

Functional Testing versus Security Testing

Functional Testing:

Functional testing verifies that the application does what it is supposed to do.It includes applying inputs to verify correct outputs.Functional testers ask "What is the software supposed to do?"Security Testing:

Security testing involves verifying that the application does not do what it is not supposed to do.It includes applying inputs and verifying that no bad things occur.Security testers ask "What is the software not supposed to do?"

Narration:Development teams have been performing functional testing for decades and the process ispretty well entrenched. Usually, we have a test plan that tells us what the application is

supposed to do.

Say, for example, our test plan tells us to apply input A and that the application shouldgenerate output B. As a functional tester, thats what we doapply A, watch for B and whenwe see it, we mark the test case as passed. What we are doing here is verifying that theapplication did what it was supposed to do. But this is both too much and not enough forsecurity testing. Its too much because security testers dont bother with what the applicationis supposed to do. Its not enough because we should also be concerned with what theapplication is not supposed to do!

In other words, when we apply input A, we should not care about output B that is supposed tooccur. Instead, we should try to verify that a vulnerable output C does not occur. So unlikefunctional testing, security testing anticipates and tests for insecure behaviors.




12/61

Security Bugs

Security bugs are much harder to spot than functionalbugsthey often have no visible (to the human eye)behavior.

To find security bugs:

Think about side effects and what sensitive datamight be exposed to.

Think backwardsthat is, instead of thinking whatshouldhappen, we need to think about whatshouldnthappen.

Narration:When testing for security bugs, keep in mind that these types of bugs can be much harder tospot than a functional bug. They are often the result of side effects or the interactions ofmultiple bugs that result in an exploitable outcome. Security testing requires you to think firstabout the possible threats to an application, the undesirable outcomes, and then progressfrom the threat to the attacks that could realize that threat.

All Software Has Bugs

All software will have bugs, even the best developers make mistakes. Some of these bugs willinevitably result in security vulnerabilities. Factor time into your projects to think specificallyabout security. If you conduct assessments of security early, find security bugs before its too late,you may save a lot of time and money.

Narration:Even the best developers make mistakes. Practically speaking, all software has bugs, andsome of those bugs, regardless of the security controls used, will result in a securityvulnerability that may cause harm to your users or data. It is a common fallacy that securityfeatures will protect against all security problems. A security feature is typically designed toprotect against one specific attack such as encryption protecting against eavesdropping.Encryption cannot protect against SQL injection, buffer overflows, and other very commonvulnerabilities.

Consider vulnerability assessments as a benefit to application development. U.S. $1 spent upfront on vulnerability assessment saves U.S. $10 during development and U.S. $100 afterrelease. Finding vulnerability in your design means that you have the opportunity to redesignmore securely. However, if you find vulnerabilities during the development phase, you need tospend time and money on changing the design, which will have a cascading impact on yourimplementation. If you find vulnerabilities during testing or after the software has beenreleased, you need to change the design and rewrite code to close the vulnerabilities.




13/61

Patches Do Not Guarantee Security

Releasing a patch may result in the resolution of a known security vulnerability but even patchescan have bugs. When deciding to patch, evaluate the risk of introducing new bugs and new

vulnerabilities against the damage caused by the vulnerability you are patching.

When you do patch a vulnerability, take the time to understand the root cause. Otherwise, you maypatch a symptom and have to continue re-patching as attackers discover workarounds and relatedvulnerabilities.

Narration:Whether you are modifying, fixing, or patching code, all maintenance tasks must be evaluatedfor risk so that maintaining your application does not introduce security flaws that were notthere prior to maintenance. Patches can fix security vulnerabilities and other bugs, and canimprove the usability or performance of your application. Though meant to fix problems,poorly designed patches can sometimes introduce new problems.

When deploying a patch, bear in mind that patches only fix symptoms of known problems.Patches prevent an attacker from using a known attack vector. There may be other problemsin your software that you do not know about yet. In addition, patches do not always addressthe root cause of problems and may actually introduce new functional or security bugs.

Internal Threats




14/61

Insider attacks are a threat that needs to be considered when developing your application:

Attackers may already be inside the defended perimeter.29 percent of all distinguishable attacks are from insiders.Internal attackers have far more access to data and systems than outsiders.The clueless and careless insiders also may bring external threats inside.Need to consider internal threats in your solution design.Internal systems are not always safer from attack than external systems.

Narration:Internal sources of threats cannot be ignored because its estimated that 29 percent of allattacks are conducted by insiderseither intentionally or by executing virusesunintentionally. Often attackers bounce the attack off of an internal user through XSS or aTrojan horse program so the risk is almost as high as the external threat.

Insiders have far more access to data and systems than an external attacker and as a resultthey can cause much more damage. They can directly steal data from the data store andtransport that data out of the organization. Common methods for transporting data are smallUSB flash memory devices or sending the outbound data encrypted as an SSL transaction

using the fast network bandwidth. The data can even be chunked into small files to not set offthe suspicious of data leakage products on a network.

Clueless insiders can also bring external threats inside by using an infected laptop, clickingan e-mail with a virus, and by browsing malicious sites that can attack your systems.

Consider internal threats in your solution design, treat all users as potentially hostile, andtreat internal data feeds to an application as not trusted. Remember that even the mosttrusted user can be a hacker!

Module Summary




15/61

Describe commonsecuritymisconceptions

Describe common security misconceptions

Developers may have the misconception that security is important atthe network and operating system levels and that its not important at

the application level, however, networks and operating systems cando very little to prevent attacks.

Similarly, developers also tend to believe that patches, functionaltests, Java and .NET, cryptography, client-side security checks, andfirewalls are good enough to protect applications. However, these toohave their shortcomings and cannot prevent application-level attacks.



Explain how toavoid commonsecuritymisconceptions

Explain how to avoid common security misconceptions

Its very important for you to implement robust security in yourapplication code and conduct regular security tests. When conductingsecurity tests, you should look out for behaviors that should nothappen. Additionally, you should be wary of internal attacks anddesign your system with the insider threat in mind. If you choose to

use tools such as Static Analysis Tools, Dynamic Analysis Tools, andApplication Vulnerability Scanners, be aware of their strengths andweaknesses so they can be used most effectively.

Implementing security in application early helps prevent loss ofmoney. If you spend U.S. $1 on implementing application security

during the design phase, you may save U.S. $10 if the same problemwas discovered during the development phase and U.S. $100 after theapplications release.






16/61

OWASP

OWASP

Module OverviewOpen Web Application Security Project (OWASP) is an open-

source application security project. This module will help youunderstand what OWASP is all about.


Understand OWASP and its importance.Name each of the OWASP top 10 vulnerabilities.Understand the basics of the vulnerabilities and their impact.

Narration:This module will help you understand what Open Web Application Security Project (OWASP)is. First, you will be introduced to what OWASP stands for and why it is important in the

software development lifecycle. Then, this module will provide details about the top 10vulnerabilities listed under OWASP and describe how these vulnerabilities can evolve overtime as new attacks are discovered. By the end of this module, you will know about the basicsof vulnerabilities and their impact on application software.

Introduction to OWASP

Open Web Application Security Project (OWASP)

OWASP was founded in 2003 and focuses on improving the security of Web application software.

OWASP is an open-source Web application security project. Members of this project include avariety of security experts from around the world who have shared their expertise to produce a listof the most critical Web application security flaws.

OWASP Top 10 is a document created for Web application security, which highlights the 10 mostimportant Web application vulnerabilities.

Note: The official OWASP Web site is www.owasp.org.

Narration:A popular trend, which started originally with the SANS Institute, is for organizations topublish annual Top 10 lists of each years most common security vulnerabilities. Since 2003,the Open Web Application Security Project (OWASP.org) has published such a list for Web

application security. The Open Web Application Security Project (OWASP) is a worldwidefree and open community focused on improving the security of Web applications.

Security experts from around the world gather to share their expertise with each other andcome up with the top 10 security vulnerabilities of the year. These vulnerabilities, collated asthe OWASP Top Ten, provide a powerful awareness document for Web application securityand represent a broad consensus about the most critical Web application security flaws.Therefore, adopting the OWASP Top Ten is an effective first step towards changing thesoftware development culture within your organization into one that produces more securecode.




17/61

Cross-site Scripting (XSS)

Key Concepts of Cross-site scripting (XSS)

Key Concepts of Cross-site scripting (XSS)

XSS is a Web-based attack performed on vulnerable Web applications. In XSS attacks, the victim is the user and not the application.In XSS attacks, malicious content is delivered to users using JavaScript.The 3 type of XSS vulnerabilities are:

PersistentReflective (non-persistent)DOM-based

Narration:As the name suggests, Cross-site scripting (XSS) is a Web-based security vulnerabilityin which a user instead of a Web application is attacked. During such an attack, avulnerable Web application is exploited to deliver malicious content to users viascript. This content can include HTML or JavaScript code and appear as a persistent,

a reflective or non-persistent, or a DOM-based attack.

Impact of XSS

By exploiting XSS vulnerabilities, an attacker can perform malicious actions, such as:

Hijack an accountSpread Web wormsAccess browser history and clipboard contentsControl the browser remotelyScan and exploit intranet appliances and applications

Note: In an attack exploiting XSS vulnerabilities, anything that can be scripted, can be usedto attack a user.

Narration:When attackers succeed in exploiting XSS vulnerabilities, they can gain access toaccount credentials. They can also spread Web worms or access the users computerand view the users browser history or control the browser remotely. After gainingcontrol to the victims system, attackers can also analyze and use other intranetapplications.

Identifying XSS Flaws

XSS vulnerabilities may occur if:

Input coming into Web applications is not validated.Output to the browser is not HTML encoded.XSS allows an attacker to embed malicious script to be run by an unsuspecting

browser, using:

JavaScriptVB Script




18/61

ActiveXHTMLFlashBe suspicious any time user-provided input is echoed to the page, such as from:

Form inputReverse DNS lookup

Hidden tags

Narration:An XSS flaw is likely to occur if the input data coming to Web servers is not validatedat the source or if data output to the user is not HTML encoded.

When incoming data isnt validated, XSS flaw allows attackers to embed maliciousscript that can be executed on an unsuspicious Web browser using JavaScript, VBScript, ActiveX, HTML, or Flash.

HTML encoding the output to the user will make sure any script is rendered as textand not executed by the browser.

Additionally, you should be suspicious any time user-provided input is echoed on thepage. This applies to input such as form input, reverse DNS lookup, and hidden tags.

Preventing XSS Flaws

In order to avoid the XSS vulnerabilities, you can perform the following actions:

URLEncode all user input returned as part of URLs (convert ?, &, /, , and spaces to theirrespective URL encoded equals).

HTMLEncode all user input returned as part of HTML.Convert all user input to a single character encoding before parsing.

Narration:To prevent XSS vulnerabilities, you should URLEncode all user input that is returnedas part of URLs. This will convert ?, &, /, , and spaces to their respective URLencoded equals. Additionally, you should HTMLEncode all user input returned as partof HTML. This will also convert special characters into their respective HTMLencoded equals. Last but not the least, you should convert all user input to a singlecharacter encoding before parsing. This applies to Single/Double Hex Encoding,Unicode Encoding, and UTF-8 Parsing.




19/61

SQL Injection

Key Concepts of SQL Injection

SQL injection is a software vulnerability that occurs when data entered by users is sent to theSQL interpreter as a part of an SQL query.

Attackers provide specially crafted input data to the SQL interpreter and trick the interpreterto execute unintended commands.

SQL injection exploits security vulnerabilities at the database layer. By exploiting the SQL

injection flaw, attackers can create, read, modify, or delete sensitive data.

Narration:SQL injection is a software vulnerability that occurs when data entered by users issent to the SQL interpreter as a part of an SQL query. SQL injection exploits securityvulnerabilities at the database layer. By exploiting the SQL injection flaw, attackerscan create, read, modify, or delete sensitive data.

Attackers utilize this vulnerability by providing specially crafted input data to the SQL

interpreter in such a manner that the interpreter is not able to distinguish between theintended commands and the attackers specially crafted data. The interpreter istricked into executing unintended commands.

Preventing SQL Injection

In order to prevent or mitigate SQL injection vulnerabilities:

Use input validation for length, type, syntax, and business rules.Grant least privileges to those with database permissions.Use strongly typed parameterized queries.

Show care when using stored procedures.

Narration:SQL injection can be prevented if you adopt an input validation technique in whichuser input is authenticated against a set of defined rules for length, type, and syntaxand also against business rules.

You should ensure that users with the permission to access the database have the leastprivileges. Additionally, do not use system administrator accounts like sa for Webapplications. Also, you should always make sure that a database user is created onlyfor a specific application and this user is not able to access other applications.Another preventive measure is to remove all stored procedures that are not in use.

Use strongly typed parameterized query APIs with placeholder substitution markers,even when calling stored procedures

Show care when using stored procedures since they are generally safe from SQLinjection. However, be careful as they can be injectable (such as via the use of exec()or concatenating arguments within the stored procedure).




20/61

Insecure Direct Object Reference

Key Concepts of Insecure Direct Object Reference

Insecure Direct Object Reference occurs when a developer exposes a reference to an internalimplementation object.

Attackers can easily manipulate an Insecure Direct Object Reference to gain unauthorizedaccess to confidential objects and exploit them.

Avoid exposing direct references. If they must be used, perform an authorization check.

Narration:Insecure Direct Object Reference is a security vulnerability that occurs when adeveloper accidentally or due to negligence happens to create a URL or formparameter exposed to the user with a reference to an object, such as a file, directory,database record, or a key, which is confidential to the organization.

Due to such an exposure, attackers can easily manipulate the reference and gainaccess to other confidential objects and view or modify them.

The best protection is to avoid exposing direct object references to users by using anindex, indirect reference map, or another indirect method that is easy to validate. If adirect object reference must be used, ensure that the user is authorized before using it.

Directory Traversals

Challenge: Request a filename from user

Problem: User may input correct filename

OR

May attempt to escape Application Directory by:

using / or \ to access root directoryusing .. to access parent directorymanipulating symbolic links (i.e. shortcuts)




21/61

Narration:Directory traversals can happen when a Web application accepts a filename from theuser but doesnt validate that the filename does not allow the user to accessunintended locations in the file system.

Addressing Directory Traversal Issues

In order to prevent or mitigate directory traversal:

Examine code against a user-specified fileAlways use Explicit pathsDefine application-specific MYAPP_PATHUse regular expressions to opt in known good pathsFor example:

^[cd]:(?:\\\w+)+\\\w{1,32}\.(txt|jpg|gif)

Narration:To avoid directory traversal, you should examine application code against a user-specified file. You should avoid relative or default paths. In addition, you should neveruse the environment variable path for locating files because they can be changed andcannot be relied upon. Therefore, you should always define explicit, application-specific paths, such as MYAPP_PATH.

To do this, you can use a regular expression that will allow you to use the files presenton paths already known, verified, and secured by you. Note the sample expressiondisplayed on the screen. In this expression, the displayed path is alphanumeric, whichallows the application to accept txt, jpg, or gif files from the C or the D drive of theserver hosting the application.




22/61

Cross-Site Request Forgery (CSRF)

Key Concepts of Cross-Site Request Forgery (CSRF)

CSRF is a malicious attack where the attacker exploits the users Web browser to

execute undesired actions on behalf of the user. These actions include:

Transferring fundsChanging passwordsPurchasing items using online shopping

Narration:Cross-Site Request Forgery (CSRF) is a malicious attack that tricks the users Webbrowser to perform undesired actions so that they appear as if an authorized user isperforming those actions.

For example, if an attacker is able to modify the content viewed by users browser,perhaps with a hostile Web site, when the user is checking an online bank account, theattacker can change the users transaction password to control the users actions andtransfer funds to the attackers account.

Executing CSRF Attacks




23/61

CSRF attackers use the functionalities of the victims browser against them.

When a user accesses a Web site and logs on to his account, the users credentials are stored

within the Web sites cookie.

The Web browser automatically associates the cookie with the actions the user performs onthe Web site.

Since the user was authenticated by the Web site, if an attacker exploits the CSRF

vulnerability at this stage, the Web application is not able to distinguish between a validaction performed by the user or a malicious action initiated by an attacker.

Narration:To exploit CSRF vulnerability, the attacker uses the functionality of the victims Webbrowser. When the victim is accessing a Web site using his login ID and password, the

victims credentials are automatically saved to the Web sites cookie. The Webbrowser will always associate the user with this cookie whenever the user performsany action on this Web site.

Since the user was authenticated by the Web site, if an attacker exploits the CSRFvulnerability at this stage, the Web application is not able to distinguish between avalid action performed by the user or a malicious action initiated by an attacker.

Preventing CSRF




24/61

The most common defense is to append challenge tokens to each request. These challengetokens must be associated with the users session.

Advantages of using challenge tokens are:

Attackers will not be able to provide a valid token of their own to utilize within the attack.Developers can ensure that the request is valid and not coming from a source other than theuser.

Narration:The most common method to prevent CSRF attacks is to append challenge tokens toeach request and associate them with the users session. By including a challengetoken with each request, the developer can ensure that the request is valid and notcoming from another source other than the user.




25/61

Malicious File Execution

Malware

Malware can be spread as file uploads or file attachments.

Malware is a malicious program that shouldnt be executing on a system.

A Worm is a self-propagating program.A Virus requires user action such as copying files to propagate.A Trojan Horse purports to be a benign or helpful program but harbors malicious behavior.A Time Bomb may perform a malicious action after a predetermined date or time is reached

Narration:Malware is one of the most common malicious attacks that can be used for breachingapplication security. Attackers having access to upload or attach arbitrary files canspread malware from their computers to trusted systems. Then, remote or local usersof the application may inadvertently execute these files. There are three major types ofmalwares Worm, Virus, and Trojan Horse.

A Worm is a self-propagating program that takes advantage of either a vulnerabilityin an operating system or a common software to breach a system and start executingmalicious codes in the system. The Worm doesnt stop here, it then searches for othersystems with some vulnerability and repeats the process to spread itself. Worms canspread quickly and pose a major risk to a vulnerable network.

A Virus attaches them to an executable file infecting the file. When the infected file ismoved to another system and executed, other files on that system become infected withthe virus. A virus uses system resources and other programs to reproduce itself.

A Trojan Horse is named after the famous Trojan Horse in Greek mythology. A TrojanHorse purports to be a beneficial program. However, it harbors malicious

functionality such as a keystroke logger for capturing passwords or remote access thatwill allow an attacker to attack and control a system. Users are tricked into installingthe malware, which is often disguised as a browser toolbar, a media player, a videocodec, or an electronic greeting card.

Malicious File Execution




26/61

When user input is used to open files or execute commands, there is an opportunity formalicious code execution.

Guidelines for Preventing Malicious Code Execution

Never expose file identifiers to user input.Never use unfiltered user input to craft a filename or an OS exec input.Dont allow user input to create server-side script or include files.

Narration:Malicious code execution can be prevented by following some guidelines. You shouldnever expose file identifiers to a user such that they become part of user input and canbe easily modified by them. Exposing file identifiers can also cause informationleakage by allowing the user select the filename opened by the application. Moreover,if the application executes commands or scripts contained in the file, this can lead tothe more serious malicious code execution.

Suppose user input is part of an OS shell or an exec command. Then the user canspecify commands to execute. Therefore, you should always filter user input going intosystem(), StartProcess(), java.lang.Runtime.exec(), System.Diagnostics.Process.Start()or similar APIs.

Another malicious code execution is an include file injection. An include file injection

occurs when the user is able to specify a filename as input that gets included into arunning script under PHP. Script injection occurs when the user is able to specifyinput that is interpreted by the server-side scripting engine in PHP or ASP.




27/61

Information Leakage and Improper Error Handling

Information Leakage and Improper Error Handling

Information Leakage

Disclosing information in error messages is oftendone because it helps normal users to fix errors andhelp developers fix various problems. Examples oferror messages that are likely to discloseinformation are ODBC error messages,authentication error messages, and others.

Improper Error Handling

Improper error handling can provide informationthat can be used for attacking a system. For

example, error messages such as:

Running V4.1 with X module, can provideApplication/platform identification information.

Error encountered at line 123 in filethis_is_a_weak_app.asp can provide applicationimplementation details.

Invalid password supplied for user id xxxxx. candisclose accurate user ids.

Narration:Disclosing information in error messages is often done because it helps normal usersto fix errors and help developers fix various problems. Examples of error messagesthat are likely to disclose information are ODBC error messages, authentication errormessages, and others.

Applications should handle error messages with a lot of restrictions. Improper errorhandling can provide information that can be used for attacking a system. Forexample, error messages should avoid application/platform identification information,implementation details, and information related to data quality.

Preventing Information Leakage and Improper Error Handling

Determine in advance:

What is reasonable and can be disclosed.What is not to be disclosed.Think from an attackers perspective.

Use a standard error response for all sensitive

data errors. Such as An error has occurred

while accessing the database.




28/61

Narration:To prevent information leakage, one must segregate information based on some pre-defined criteria. You should determine in advance about which information is safe fordisclosure and which information needs protection.

The best way to determine the level of information confidentiality is by thinking froman attackers perspective and determining what the attacker can do with theinformation.

Even while developing error-handling messages for an application you should use a

standard error response for all sensitive data errors. Just mention the macro problem,such as An error has occurred accessing the database.




29/61

Broken Authentication and Session Management

Session Hijacking

Session hijacking is the alteration of session data to impersonate the session data of

another user, taking over the users session. Session hijacking can be done in several

ways:

Attacker intercepts the communication between the client and server and steals a validsession ID.

Attacker tries to steal session information from the cookies stored in the users computer.Guess a predictable session ID.

Narration:The Web is inherently connectionless and stateless and developers rely on data sent tothe client and returned with each new request to track the users session. Improperhandling of such information can lead to an attack where an attacker alters sessiondata and impersonates the session data of another user, hijacking the users session.

After attackers know where this information is stored, they simply alter theinformation in such a way that the server will view it as the valid session of anotheruser whose session is hijacked.

Session hijacking can be done in several ways. For example, an attacker can interceptthe communication between a client and a server and steals a valid session ID.Alternatively, an attacker can try to steal session information from the cookies storedon the users computer. Finally, if session IDs are predictable an attacker could guessa valid one.

Preventing Session Hijacking




30/61

In order to prevent or mitigate Session hijacking:

Use secure random session IDs such as JSESSIONID.Bind the session ID to another piece of identifying information, e.g. users IP address.

Expire sessions on logout and after a set period of inactivity.

Narration:To develop a secure application, you should restrict the instances of session hijackingby following some simple guidelines.

Most Web frameworks provide us with secure random session IDs such as JSESSIONID. You need to ensure that all other session data should be stored on the server sideand referenced with this JSESSION ID. Using a secure random ID will make guessingdifficult for an attacker and will not be able to guess another valid session ID.

An application developer should also bind the session ID to some other piece ofidentifying information, such as the IP address of the user. This will make it moredifficult for an attacker to use a stolen, valid session ID.

As soon as a user logs out of a session, the session should expire. The session shouldalso expire after a set period of inactivity. This ensures that an attacker will not beable to replay a valid session at a later stage.

Example of Session Fixation




31/61

Narration:Lets observe an example where an attacker induces a client to establish a sessionwith the target software using a session identifier provided by the attacker.

Analysis indicates that the attacker either has used a malicious link or has leveragedon an earlier attack, such as XSS.

As soon as user requests for a specified application with a valid session ID, theapplication authenticates the user. However, the attacker already knows the samesession ID. Therefore, the attacker will now be able to use the session identifier for

their own transactions.

So what does this imply? The attack leverages the fact that the target software eitherrelies on client-generated session identifiers or maintains the same session identifiersafter privilege elevation.

How to prevent such instances? To prevent session hijacking it is important toinvalidate the unprivileged session ID and provide a new session ID afterauthentication. It is also important to ensure correct logout, password management,and timeout functions to help mitigate various instances of session fixation andhijacking.




32/61

Poorly Implemented Cryptography




33/61

Insecure Communication

Secure Sockets Layer and Transport Layer Security (SSL andTLS)

SSL and TLS are commonly used to secure the channel between a browser and a Web

server.

It is application independent.It allows protocols like HTTP, FTP, and Telnet to be layered transparently on top of it.SSL supports a variety of cryptographic algorithms.

Narration:SSL/TLS is commonly used to secure the channel between a browser and a Webserver. It is application independent and allows protocols like HTTP, FTP, and Telnetto be layered transparently on top of it.

SSL supports a variety of cryptographic algorithms. For example, during the"handshaking" process, it uses the RSA public-key cryptosystem, and after the keys areexchanged, it uses a number of ciphers including RC2, RC4, IDEA, DES, and triple-DES.

Internet Protocol Security (IPSec)




34/61


35/61

Failure to Restrict URL Access




36/61


37/61

UnderstandOWASP and itsimportance

Understand OWASP and its importance

A popular trend, which started originally with the SANS Institute, isfor organizations to publish annual Top 10 lists of each years most

common security vulnerabilities. Since 2003, the Open WebApplication Security Project (OWASP.org) took over this task. The

OWASP is a worldwide free and open community focused onimproving the security of application software that is focused ondeveloping an open source Web application security community.



Name each of theOWASP top 10vulnerabilities

Name each of the OWASP top 10 vulnerabilities

The OWASP Top 10 Security Flaws are Cross-site Scripting (XSS),

Injection Flaws, Malicious File Execution, Insecure Direct ObjectReference, Cross-site Request Forgery (CSRF), Information Leakageand Improper Error Handling, Broken Authentication and SessionManagement, Insecure Cryptographic Storage, InsecureCommunications, and Failure to Restrict URL Access.






38/61

Understand thebasics of thevulnerabilities andtheir impact

Understand the basics of the vulnerabilities and their impact

Cross-site scripting (XSS) is a Web-based security vulnerability inwhich a user instead of a Web application is attacked. During such an

attack, a vulnerable Web application is hacked to deliver maliciouscontent to users via script. This content can include HTML or

JavaScript code and appear as a persistent, a reflective or non-persistent, or a DOM-based attack.

SQL injection is a software vulnerability that occurs when dataentered by users is sent to the SQL interpreter as a part of an SQLquery. SQL injection exploits security vulnerabilities at the databaselayer.

By exploiting the SQL injection flaw, attackers can create, read,modify, or delete sensitive data.

Insecure Direct Object Reference is a security vulnerability thatoccurs when a developer accidentally or due to negligence happens tocreate a URL or form parameter with a reference to an object, such as

a file, directory, database record, or a key, which is confidential to theorganization.

CSRF is a malicious attack where the attacker exploits the users Webbrowser to execute undesired actions on behalf of the user. Theseactions include transferring funds, changing passwords, andpurchasing items using online shopping.

Code vulnerable to remote file inclusion (RFI) allows attackers to

include hostile code and data, resulting in devastating attacks, such astotal server compromise. Malicious file execution attacks affect PHP,XML, and any framework that accepts filenames or files from users.

Disclosing information in error messages is often done because ithelps normal users to fix errors and help developers fix variousproblems. Applications should handle error messages with a lot of

restrictions. Improper error handling can provide information that canbe used for attacking a system. To prevent information leakage onemust segregate information based on some pre-defined criteria. Youshould determine in advance about which information is safe fordisclosure and which information needs protection.

The Web is inherently connectionless and stateless and developersrely on data sent to the client and returned with each new request totrack the users session. Improper handling of such information canlead to an attack where an attacker alters session data and

impersonates the session data of another user, hijacking the userssession. After attackers know where this information is stored, theysimply alter the information in such a way that the server will view itas the valid session of another user whose session is hijacked.




39/61

Security Principles

Security Principles

Module OverviewThis module will help you understand key security principles and

recognize the importance of incorporating these principles withinyour software development lifecycle.


Understand and incorporate key security principles.Define Layered Security / Defense in Depth.Define segmentation.Define structural security.

Narration:

This module will help you understand key security principles and the importance of

incorporating these principles within your software development lifecycle. The module willfirst introduce you to incorporating security into your software development process. Then, itwill introduce defense in depth as a strategy to protect information technology resources anddata. This module will further describe different ways to segment data, the importance ofstructural security in an organization, and various principles of information security. Finally,the module will help you recognize the need to test for security vulnerabilities.

Structural Security

Structural security is security that has been baked into the very foundation of an

applications architecture.

Apply simple, structural security, whenever possible.General examples include concrete building material.Technical examples include a hardened server or an environment with unused features and servicesremoved.




40/61


41/61

Narration:A basic principle in information security says that entities, such as people, processes, anddevices, should be assigned the fewest privileges consistent with their assigned duties andfunctions. For example, the restrictive "need-to-know" approach denies access to allresources by default, then explicitly grants privileges as they are needed. Applying thisprinciple to a corporate network would result in all data being off-limits except to specificusers or groups.

In contrast, a less-restrictive strategy opens all systems and closes access as required. Forexample, allowing employees access to all systems except human resources and accounting,

which is limited to employees in those departments. This is not an ideal approach as itrequires the blacklist to be regularly updated any time new users are added, otherwise thoseusers may be implicitly granted access that they should not have.

Abiding by the principle of least privilege limits the damage from an accident, an error, or anattack and reduces interactions among privileged programs. Successful attackers can onlyassume the authority associated with the compromised account.

Some common examples of least privilege include giving users only the privileges theyrequire to do their job, implementing a policy that requires administrators to only log in withadmin privileges when they absolutely need it, and allowing applications to only open filesthat contain the required permissions.

Test Everything

It is important to perform security testing to catch improper design and coding practices that

may have been missed earlier in your development process:

Never assume that security controls are effective until you can validate them with thorough testing.Most security vulnerabilities will not be discovered during normal application use.Allocate time for dedicated security testing within your project timeline.Always test applications and application components, both in isolation and in the environmentwhere the application is deployed.

Narration:Since many vulnerabilities are caused by mistaken assumptions by programmers or bymistakes in the code, it is important to test all code for security vulnerabilities. An application

or application component should not be assumed to be secure until security controls havebeen thoroughly tested.

Typical application use cases or traditional feature testing will not find most securityvulnerabilities. Security testing must be performed in order to find security vulnerabilities, soit is important to allocate dedicated time for security testing during the testing phase of thesoftware development cycle.

It is important to test for security vulnerabilities both in isolation and in the environment theapplication is designed to run in. It is common for a security vulnerability to be exploitableonly when the application is interacting with the operating system and other backendservices.

Module Summary




42/61

Understand andincorporate keysecurityprinciples

Understand and incorporate key security principles

Security is a process of protecting information. So security principlesshould be incorporated within the software development lifecycle from

the very beginning of the project. Incorporating these principles, earlywithin the development lifecycle, dramatically improves the security

of your application.

Key security principles are least privilege, default deny, and input ordata validation. The least privilege principle says that entities (people,processes, devices) should be assigned the fewest privileges consistentwith their assigned duties and functions.

The default deny principle states that access to resources and all

application input should be denied unless specifically permitted.

Use input and data validation to help prevent attacks based uponmaliciously malformed data sent to your application over the Internet,through its UI, through corrupted files, or any other input stream yourapplication can accept.



Define LayeredSecurity / Defensein Depth

Define Layered Security / Defense in Depth

Layered Security, or Defense in Depth, is the strategy of using severalconcurrent methods, such as point security solutions, filtering systems,

and monitoring strategies, to protect information technology resourcesand data.

It addresses security vulnerabilities in personnel, technology, andoperations for the duration of the systems lifecycle. Layered securitymakes it more difficult and time consuming for an attacker to mountan attack and limits what the attacker can access with each successfulpenetration.






43/61

Definesegmentation

Define segmentation

Segmentation is the practice of separating data from logic, segmentingdata by privilege, and segmenting applications from environment to

improve security. A common example of segmenting data from logicis housing data in a database on a non-publicly accessible system and

configuring the Web root of your Web server on a partition separatefrom the operating system installation.

The other way of segmenting data is by privilege. Segmenting data byprivilege separates data by the authorization level required to access it.Database tables, Web folders, and configuration files are potentialareas where privilege based segmentation could be applied.

An application can also be segmented from its environment. Thisconfines the application to a safe space where its access to systemresources is tightly constrained.



Define structuralsecurity

Define structural security

Structural security is the very foundation of an applicationsarchitecture. For example, using concrete as a building material givesa structural security benefit against the threat of building collapse.Another example might be of including only one entrance or exit in anairport parking lot to monitor cars. Often, incorporating structural

security makes an application simpler and easier to maintain albeitsometimes at the expense of features.

One good example of employing structural security is turning offunused services and removing unnecessary files from a host operatingsystem. This minimizes the attack surface and exposes lessfunctionality that may be attacked.






44/61

Security Goals and Controls

Security Goals and Controls

Module OverviewInformation assets and security go hand in hand. An organizations

information assets are subject to security threats. Therefore, everyorganizations goal is to employ the best security system to protecttheir information assets from such threats. To develop securesystems, organizations need to define security goals and controls.

Module Objectives

After completing this module you will be able to:

Explain the importance of the CIA triad.Explain the purpose of authentication and authorization.Explain the importance of error and exception handling.Explain the purpose of monitoring and logging.Explain the purpose of cryptography and encryption.Describe database authentication and controls.

Narration:Often, an organizations information assets are subject to security threats. Therefore, everyorganizations goal is to employ the best secure systems to protect their assets from thesethreats.

An important step in developing security systems is to define security goals and controls.

This module will help you recognize the main security goals and features that you mightrequire while developing a secure system. This module will first explain the importance of thesecurity goals of confidentiality, integrity, and availability. The module will go on to explainthe purpose of authentication, authorization, and access controls. Finally, the module willprovide information about the purpose of error and exception handling, monitoring andlogging, cryptography and encryption, and database security.

Authentication

Authentication




45/61

The authentication process verifies the identity of an entity. The entity could be a computer

or a computer user. Trust is established based on the quality of your authenticationimplementation and the strength of the entity-provided credentials.

Common authentication mechanisms include:

PasswordsX.509 CertificatesKerberos TicketsSmart CardsTokensBiometrics

Narration:Forming goals is not enough to ensure software security. You also need to havevarious technical controls to manage security threats. That is why authentication,authorization, and access control are present in many types of applications.

Authentication verifies the identity of a computer or a computer user. Commonly, theauthentication process involves entering and verifying a username and a password.

However, authentication can also include other methods of identity verification suchas smart cards, retina scans, voice recognition, or fingerprints.

There are different types of authentication such as basic authentication, digestauthentication, form-based authentication, smart card, biometrics, and digitalcertificates. Trusting a particular authentication method is based on the quality ofimplementation and the strength of credentials.




46/61

Authentication Considerations

Authentication Considerations

Any authentication method could have weaknesses.

Authentication mechanisms are often the first target of an attack.Implementing Authentication

Use two-factor authentication for added security.Define and test all authentication information for valid format and length.

Narration:All authentication methods have weaknesses and can be breached because of poorimplementation. Security vulnerabilities can occur in implementations that includepasswords, certificates, or even biometrics.

The authentication process is often attacked first because even an unauthenticated user canaccess the login page of your application.

To strengthen the authentication process, you can use two-factor authentication. Two-factorauthentication provides added security by simultaneously using two different factors to verifyusers. In two-factor authentication, a user must know something unique and posses somethingunique. For example, knowing a password and possessing a hard token to login to a system.

Authorization




47/61

The authorization process:

Determines and grants rights to an authenticated entity.Often uses Access Control Lists (ACLs) for resource-based authorization.

May use LDAP servers to store information about user roles and privilege levels. Common authorization techniques are:

Resource-based authorization, such as Access Control Lists (ACLs).Role-based authorization, such as LDAP or Active Directory.

Narration:Authorization is the process of determining the rights that should be granted to anauthenticated entity.

After the identity of a user is authenticated, an application authorizes a user to performactions in the system based upon the permissions associated with the authenticated identity orthe permissions of the group or role that the identity belongs to.

Authorization can also be performed on specific resources, such as a database or a file on thefile system. Access Control Lists (ACLs) are a common mechanism by which resource-basedauthorization is performed on the Windows operating system.

Authorization is similar to checking the guest list at an exclusive party or checking youropera ticket. In these cases, the security personnel verify the guests name against the guestlist. In this analogy, authentication is checking the ID and authorization is checking thatname against the list of allowed guests.

Similarly, authorization is often achieved via Access Control Lists (ACLs). You can grant ordeny access based on a wide variety of criteria, such as the network address of the client orthe time of day.

Access control permits and restricts user entry. It behaves like a gate that closes after astipulated time or a gate that only allows employees to enter the premises of an organization.

Authorization Considerations





48/61


Use access controls to structurally harden your environment. Keep in mind that thoughtfulsegmentation will facilitate authorization.

Use the principle of least privilege and grant each entity the minimum privileges required

for proper business functionality.

Scrutinize integration with other components. Define responsibility and examineimplementation carefully.

Ask yourself, What type of access does my application need?

Log filesConfiguration filesDatabase tables

Narration:Access controls help you structurally strengthen your environment. By appropriatelysetting access control permissions on your resources, you can reduce the amount of

damage an attacker can inflict when exploiting a vulnerability.

Use access controls to structurally harden your environment. Thoughtful segmentationwill facilitate authorization.

Use access controls to implement the principle of least privilege. The principle of leastprivilege states that you should grant the minimum privileges to the users and roles inyour application so that they can accomplish appropriate tasks but are not allowed todo any more. For instance, you may lock down the account that accesses yourdatabase so that it only has permissions to read from specific tables rather than havethe ability to read, write, and delete any table in the database. If an attacker is able toexploit a vulnerability, such as SQL injection, on your application, access controls onthe database will limit the amount of damage that is possible.

Scrutinize integration with other components. Define responsibilities and examine

implementation carefully.

Before designing access controls, analyze the type of access required by each of theroles in your applications.




49/61

Module Summary




50/61

Explain theimportance of theCIA triad

Explain the importance of the CIA triad

Information security is the principal of software applicationsmaintaining security goals while handling information.

Confidentiality, integrity, and availability are the goals ofinformation security.

Confidentiality refers to the privacy of an information asset. The keyto integrity is protecting data from modification or deletion byunauthorized parties, and ensuring that when authorized peoplemake changes that shouldnt have been made the damage can beundone. Availability of information means the systems responsiblefor delivering, storing, and processing information are accessiblewhen needed.



Explain thepurpose ofauthentication andauthorization

Explain the purpose of authentication and authorization

Various technical controls allow you to manage your securitythreats. The three techniques authentication, authorization, and

access control are generally present in all applications.

The authentication process verifies the identity of a computer or acomputer user. This process usually involves a username and apassword. Authorization and access controls are the processes ofdetermining the rights that should be granted to an authenticated

entity.

Click each objective to learn more about it.


Explain theimportance of errorand exceptionhandling

Explain the importance of error and exception handling

Error messages are the potential avenues by which too muchinformation is disclosed to a user or a malicious individual.Inadvertently disclosing internal application details in error

messages, provides an opportunity to the attacker.






51/61

Explain thepurpose ofmonitoring andlogging

Explain the purpose of monitoring and logging

Monitoring and logging is the process of capturing and retainingevents. While logging, you record data on application or system

activity.



Explain thepurpose ofcryptography andencryption

Explain the purpose of cryptography and encryption

Cryptography disguises messages so that only certain people can

identify the actual message. Cryptography is a technological solutionfor protecting transit data from sniffing and alteration. Cryptographyis a predefined procedure to convert plaintext into ciphertext thatuses encryption for disguising information.



Describe databaseauthentication andcontrols

Describe database authentication and controls

Database controls are used to limit what attackers can do. Databasecontrols include logging, denying access to stored procedures, andrunning the database as a low privileged user.






52/61

Security in the SDLC

Security in the SDLC

Module OverviewThis module will help you understand the root causes of software

vulnerabilities and recognize that the cost of fixing thesevulnerabilities increases dramatically in later stages of thedevelopment lifecycle. You will then be presented with theadvantages of following a holistic approach that tackles security atevery stage of the software lifecycle. This module will present youwith a set of generic security activities that can be performed within

your development process to help you, as an organization, reduceyour software security risk and produce more secure software.


Identify the root causes of software vulnerabilities.Recognize that the cost of fixing vulnerabilities increases over time.Comprehend activities that reduce software security risk.

Narration:In this module, you will be first introduced to the causes of software vulnerabilities and theimportance of integrating security in the software development lifecycle. Then, this modulewill present you with a set of generic security activities and best practices that can befollowed to help your organization effectively reduce its software security risk.

Establishing Security Requirements




53/61

As it marks the beginning of the development effort, therequirements phase is the most appropriate stage to kickoffand setup your security development process.

During the requirements phase, you should:

Assign a security advisor, either internal to your organization,

if available, or from a third-party organization. The securityadvisor needs to be a software security expert and will be theone validating security activities and deliverables.

Assign security leads to the different teams involved in theprocess, such as the development and testing teams. Theresponsibility of these security leads will be to drive securityefforts within their team.

Establish a security bug bar specifying clear-cut securityshipping requirements such as ALL vulnerabilities allowingan attacker to access stored or transmitted credit cardnumbers MUST be remediated before release.

Gather security requirements applicable to your softwareproject such as any security standards or regulations it mightbe subject to including PCI DSS, HIPAA, SOX, GLBA, andBasel II.

Identify, acquire, and configure any software security toolsneeded later in the project, such as configuring your bugtracking system to track security vulnerabilities.

Initiate risk assessment to determine quantitative orqualitative value of the risks associated with your softwareproject. Perform an objective evaluation of risks in whichassumptions and uncertainties are clearly considered andpresented.

Narration:A software development lifecycle produces security deliverables at each phase. Therequirements phase is the most appropriate stage to begin your security development process.

During this phase, you should:

Assign a security advisor who can be someone from your organization or even from a third-party organization. The security advisor needs to be a software security expert and will be theone validating security activities and deliverables.

Assign security leads to the different teams involved in the process. This includes thedevelopment and testing teams who will drive security efforts within their team.

Establish a security bug bar clearly indicating the security shipping requirements. Forexample, ALL vulnerabilities allowing an attacker to access stored or transmitted credit cardnumbers MUST be remediated before release.

Gather security requirements applicable to your software project such as any securitystandards or regulations it might be subject to including PCI DSS, HIPAA, SOX, GLBA, andBasel II.

Identify, acquire, and configure any software security tools needed later in the project, for

example, configuring your bug tracking system to track security vulnerabilities.

Initiate risk assessment to determine quantitative or qualitative value of risk associated withyour software project. An objective evaluation of risk in which assumptions and uncertaintiesare clearly considered and presented can be performed.

Categorizing Threats




54/61

Properly categorizing threats will enable you to identify effective countermeasures to be integratedin your softwares design. A popular method for categorizing threats is the STRIDE approach.STRIDE was developed by Microsoft to classify threats identified while threat modeling. Each typeof threat in STRIDE maps to a security property that each software should have to defend againstthe threat.

The provided table defines these threat types and security properties to help you understand how

they relate to each other.

Threat Security Property

Spoofing Identity

The action of assuming the identityof another user, component, orsystem.

Authentication

The ability of a system to verify the identity of a user,component, or system.

Tampering with Data

The action of illegally modifyingdata.

Integrity

The property of data that has not changed. Note: asystem can take two approaches to ensure integrity:

enforcing proper access control or tamper-detection.

Repudiation

The act of denying being the authorof a given action.

Non-repudiation

The ability of a system to ensure that all actions areaccounted for and can be traced back to their authors.

Information Disclosure

The action of viewing confidentialdata without proper authorization.

Confidentiality

The property of data that is not viewed byunauthorized parties.

Denial of Service

The act of preventing a system

from functioning in accordancewith its intended purpose.

Availability

The property of data that is accessible to legitimateparties whenever they need it to be.

Narration:Threats can be categorized based on the goals and purposes of the attacks. Properlycategorizing threats will enable you to identify effective countermeasures to be integrated inyour softwares design. STRIDE is the most common method used for categorizing threats.This method was developed by Microsoft to classify threats identified while threat modeling.Each type of threat in STRIDE is linked to a security property that software should have todefend against the threat.

The provided table defines these threat types and security properties to help you understandhow they relate to each other.

Prioritizing Threat Mitigation




55/61

Because it is usually not possible to address all threats at once, it is important for your organizationto be able to prioritize them eff

Documents

Application Security Fundamentals