3

Terry Dausterrydaus@yahoo.com

4

Understand Software Development Life Cycle (SDLC)

Enforce security controls in the development environment

Assess the effectiveness of softwaresecurity

Apply security across the landscape of the SDLC

5

CISSP approach for SoftwareDevelopment

Software Acquisition Security * Software Development Life Cycle (SDLC) Security Controls in the Development

Environment Common Software Development Issues Effectiveness of Software Security

6

Re-titled as “Security in the Software Development Life Cycle”

Why? Software is the prevalent interaction

component Mobility enables less direct access to “The

System” Software includes interaction across the

entire life cycle of data Combination of Live and Archived data Often access hybrid-mesh (private and public)

data across networking components that all run side-by-side

7

Integrity Model Assurance Processes

Security KernelHardware Interfaces

Hardware Abstraction Layer (HAL)

The “System”Reference

Monitor

Application Group / Suite

Program Program ProgramProgram Program

Application APIsNetworkAPIs

Hardware

Common Application Base

System APIs

Software Defined NetworkHypervisor

9

Goals Both aspects (Functionality and Security)

need to be looked at from the start of the project

Security should be integrated in the entire product and be implemented in a layered approach

Data and data processing procedures must be accurate at all times

Proactive, not Reactive

Defines the phases of software development

Select model based on the project

Don’t “band-aid” it in on top of an un-secure solution Expense of security “add-ons” increases

exponentially during later stages of a project

Comprehensive analysis

Ensure system will meet end-user

needs

Design system and software

Establish data input, flow, and output requirements

Design security features

Generate source code

Develop test scenarios and

test cases

Conduct unit and integration

testing Document for maintenance

An independent group tests to ensure: It will function within the organization’s

environment It meets all the functional and security

requirements

Test data should include: Data at the ends of the acceptable data ranges Various points in between Data beyond expected/allowable data points

Test with: Known good data Never live production data Sanitized data

Certification Authorization

Obtain security accreditation

Train the new users

Implement the system

Periodic evaluations and auditsChanges must follow SDLC and be recorded

Focuses on quality

management processes

Five maturity levels

ISO/IEC 90003:2004 is appropriate to software that is (mostly focuses on TQM): Part of a commercial contract with another

organization A product available for a market sector Used to support the processes of an organization Embedded in a hardware product, or Related to software services

INSTRUCTIONSComplete the table to compare the CMM and ISO.

CMM ISO

Purpose

Most applicable for …

Monitor the performance of the system

Ensure continuity of operations

Detect defects or weaknesses

Manage and prevent system problems

Recover from system problems

Implement system changes

Successful change management requires:

Benefits management and realization

Effective communication

Effective education,

training

Counter resistance

Monitoring of the

implementation

Management technique that simultaneously

integrates all essential acquisition activities

through multidisciplinary teams

Develop and test against production-like systemsDeploy with repeatable, reliable processes

Monitor and validate operational quality

Amplify feedback loops

PrototypingModified

Prototype Model (MPM)

Rapid Application

Development (RAD)

Joint Analysis Development

(JAD)Exploratory

Model

Computer-Aided Software Engineering

(CASE) Component-Based

Development

Reuse Model Extreme Programming

Combine models

Consider security

INSTRUCTIONS Working with a partner, please note your assigned methods in the top row of the table.

Method 1: Method 2: Method 3:

Inappropriate circumstance

Best circumstance

A suite of application programs that typically manages large, structured sets of persistent data

Stores, maintains, and provides access to data using ad hoc query capabilities

The database engine itself

The hardware platform

Application software Users

The relationship between the data elements and provides a framework for organizing the data: Transaction Persistence Fault Tolerance and Recovery Sharing by Multiple Users Security Controls

Oldest of the database models

Stores data in a series of records that have field values attached

Collects all the instances of a specific record together as a record type

Uses parent/child relationships through the use of trees

Useful for mapping 1:N relationships

Also known as Distributed Database Model

Represents its data in the form of a network of records and sets that are related to each other

Records are the equivalent of rows in the relational model

Record types are sets of records of the same type

Data is stored in more than 1 database but relatively hierarchically

Useful for N:N relationships

Based on set theory and

predicate logic

Provides a high level of

abstraction

Tables or relations Integrity rules

Data manipulation agents

Attributes Tuple

Primary keys Foreign key value

To solve the problems of concurrency and security

within a database, the database must provide

some integrity

Language in which users may issue commands

The main components of a database using SQL are: Schemas Tables Views

Data Definition Language

(DDL)

Data Manipulation

Language (DML)

Data Control Language

(DCL)

One of the most recent database

models

Stores data as objects

INSTRUCTIONSMatch the database model with the correct description.

a. Hierarchical Database Model

b. Network Database Management Model

c. Relational Database Management Model

d. Object-Orientated Database Model

1. _____ Stores data in a series of records that have field values attached. It

collects all the instances of a specific record together as a record type. 2. _____ Allows data to be structured in a series of

tables that have columns representing the variables and rows that contain specific

instances of data. 3. _____ One of the most recent database models. 4. _____ Represents data in the form of a network of records and sets that are related to each other, forming a network of links.

INSTRUCTIONSMatch the database model with the correct description.

a. Hierarchical Database Model

b. Network Database Management Model

c. Relational Database Management Model

d. Object-Orientated Database Model

1. __a__ Stores data in a series of records that have field values attached. It

collects all the instances of a specific record together as a record type. 2. __c__ Allows data to be structured in a series of

tables that have columns representing the variables and rows that contain specific

instances of data. 3. __d__ One of the most recent database models. 4. __b__ Represents data in the form of a network of records and sets that are related to each other, forming a network of links.

Open Database Connectivity (ODBC)

Java Database Connectivity (JDBC)

eXtensible Markup Language (XML)

Object Linking and Embedding Database (OLE DB)ActiveX Data Objects (ADO)

1. What is a markup language?

2. What is Object Linking and Embedding (OLE)?

3. What is the protocol that allows OLE to work?

4. What is JDBC?

1. What is a markup language?A system of symbols and rules to identify structures (format) in a document

2. What is Object Linking and Embedding (OLE)?A Microsoft technology that allows an object, such as an Excel spreadsheet, to be embedded or linked to the inside of another object, such as a Word document

3. What is the protocol that allows OLE to work?The Component Object Model (COM)

4. What is JDBC?An API from Sun Microsystems used to connect Java programs to databases

API security issues including: Authentication of users Authorizations of users Encryption Protection of the data from unauthorized entry,

accountability, and auditing Availability of current data

There can be any number of layersThree-tier approach is most typical: Presentation layer Business logic layer Data layer

Microsoft high-level interface for all kinds of data

No configurable restrictions on its access to the underlying system

Newer browsers implement sandboxing and stronger ActiveX controls to help mitigate this vulnerability

Metadata is useful because it provides: Valuable information about the unseen

relationships between data The ability to correlate data that was previously

considered unrelated The keys to unlocking critical or highly important

data inside the data warehouse

OLAP technologies provide an analyst with the ability to formulate

queries and define further queries

As a first line of security to prevent unauthorized users from accessing the system, the DBMS should use: Identification Authentication Authorization Other forms of access controls

Locks are used for read and write access to specific rows of data in relational systems or objects in object-oriented systems Atomicity - All or None Consistency - Changes maintain consistency Isolation - Pending transactions are Invisible to others Durability - When you say it’s done, it stays Done

The ACID test: ALL CHANGES are INVISIBLE until DONE

View-Based Access Controls

Grant and Revoke Access Controls

Security for Object-Oriented (OO)

Databases

Metadata ControlsData

Contamination Controls

Data processing system facilitating and managing transaction-oriented applications

The security concerns for OLTP systems are: Concurrency Atomicity

A key feature of knowledge

management is application of artificial intelligence techniques

to decision support

Mathematical, statistical, and

visualization method of identifying valid and

useful patterns in data

Protecting the knowledge base

Routinely verifying decisions

Changes to the rules must go through a

change control process

Additional and different queries to

verify the information

Making risk management

decisions

Developing a baseline of expected performance from the

analytical tool

Most attacks are conducted at the application level

Designed to be widely accessible

Usually heavily advertised

Administrators turn off logging

Not well suited for firewalls and intrusion detection systems

Particular assurance sign-off process for web servers

Harden operating system of such servers Extend web and network vulnerability scans

prior to deploymentPassively assess IDS and IPS technologyUse application proxy firewallsDisable unnecessary documentation and

libraries

Remove or appropriately secure administrative interfacesOnly allow access from authorized hosts or networksDo not hard code the authentication credentialsUse account lockout and extended logging and auditEnsure the interface is at least as secure as the rest of the application

Development Guide

Code Review Guide Testing Guide

Top Ten Web Application

Security Vulnerabilities

OWASP Mobile

The objective of information security is to make sure: That the system and its resources are available

when needed That the integrity of the processing of the data

and the data itself is ensured That the confidentiality of the data is protected

More distributed

Substantial increase in open protocols, interfaces, and source code

Increased sharing requires increased protection

More complex

Linus’s law:

With sufficiently many eyeballs looking at

the code, all bugs will become apparent

INSTRUCTIONSWith a partner, discuss your thoughts on whether open source leads to quick identification and repair of issues.

Individuals who find security

vulnerabilities will publicly disseminate

the information

This environment begins with the standard model of hardware resources, with items such as: Central processing unit (CPU) Memory Input/output (I/O) requests Storage devices

A programming language is a set of

rules telling the computer what

operations to perform

First generation(Machine)

Second generation(Assembly)

Third generation

(High-Level)

Fourth generation

(Report Gens)

Fifth generation

(Natural Lang)

Higher-level languages

Machine language

Directive patterns

Verifier Class Loader

Security Manager

Java Certification Path API Java GSS-API

Java Authentication and Authorization

Service (JASS)

Java Cryptography Extension (JCE)

Java Secure Socket Extension (JSSE)

Encapsulation Inheritance

Polymorphism Polyinstantiation

Specific objects, instantiated from a higher class, may vary

their behavior depending upon the data they contain

Encapsulation Polyinstantiation

Allow applications to be divided into components that can exist in different

locations

A set of standards that addresses the need for

interoperability between hardware and software

When reviewing implementations, consider: Supported CORBA security features

CORBA security

Administration

Access control mechanisms

Tools for capturing and reviewing audit logs

Any technical evaluations

A software library consists of pre-written

code, classes, procedures, scripts, and

configuration data

Increased Dependability

Reduced Process Risk

Effective Use of Specialists

Standards Compliance

Accelerated Development

A standard library in computer programming is the library made available across implementations of a programming language

The C standard library

The C++ standard library

The Framework Class Library

(FCL)

The Java Class Library (JCL)

The Ruby standard library

A program or application that software developers use to create, debug, maintain, or

otherwise support other programs and applications

Combine the features of many

tools

Maximize programmer productivity

A runtime system exhibits the behavior of the

constructs of a computer language

Based on the principle of representing oneself as someone who needs or

deserves the information to gain access to the system

INSTRUCTIONSReview each of the security weaknesses/threats on your own and write a brief, simple explanation after each one

Buffer Overflow Citizen Programmers Covert Channel Malformed Input Attacks

Memory Reuse (Object Reuse)

Executable Content/Mobile Code

Time of Check/Time of Use (TOC/TOU)

Between-the-Lines Attack Trapdoor/Backdoor

Designed to analyze source code to help find

security flaws

Used in software development phase

Scale well Output is good for developers

Many security vulnerabilities are

difficult to find automatically

False positivesFrequently cannot find configuration

issues

Difficult to prove actual vulnerability

Difficulty analyzing code that cannot be

compiled

Google CodeSearchDiggity FindBugs FxCop (Microsoft) PMD

PreFast (Microsoft) RATS (Fortify) OWASP SWAAT Project Flawfinder

RIPS Brakeman Codesake Dawn VCG

IBM Security AppScan

Source Edition Insight

(KlocWork) Parasoft Test

Seeker Source Patrol (Pentest)

Static Source Code Analysis

with CodeSecure

Static Code Analysis

(Checkmarx) Security Advisor

(Coverity) Veracode

Can compromise programs and data to the point where they are no longer available

Generally uses the resources of the system it has attacked

Viruses are the largest class of malware

A program written with functions and intent to copy and disperse itself without 

the knowledge and cooperation of the owner or 

user of the computer 

File Infectors

Boot Sector Infectors

System Infectors

Companion Virus E-mail Virus Multipartite

Macro Virus Script Virus

Worms Hoaxes Trojans

DDoS Zombies

Logic Bombs

Spyware and

Adware

Pranks Botnets

INSTRUCTIONSWorking with your partner or small group, review

your assigned malware type and prepare to share it with the rest of the group

Please include the following in your introduction: Definition Example Ideas about how to avoid and/or overcome this

type of malware

Do not double-click on

attachments

Describe the content of

attachments

Do not blindly use the most widely

used products as a company standard

Disable Windows Script Host,

ActiveX, VBScript, and JavaScript

Do not send HTML-formatted e-mail

Use more than one scanner, and scan

everything

Scanners Heuristic Scanners Activity Monitors

Change Detection Reputation

Monitoring/Zero-day/Zero-hour

Antimalware Policies

Collection of all of thehardware, software, and

controls within a computersystem that can be trusted toadhere to the security policy

Ensures any subject attempting to

access any object has the appropriate

rights to do so

Protects the object from unauthorized

access attempts by bad actors

Made up of all of the components of the TCB and it is responsible for

implementing and enforcing the reference

monitor

Protect the processor and the activities

that it performs

Privilege levels are typically

referenced in a ring structure

A buffer overflow: Is caused by improper bounds checking on input

to a program Must be corrected by the programmer or by

directly patching system memory

The lack of parameter

checking can lead to buffer overflow

attacks

Operating systems should offer some

type of buffer management

Ensure that multiple processes do not attempt

to access the same system resources at the

same time

Interrupts allows the operating system to ensure that a

process is given enough time to access the CPU when necessary to carry out its

required functions

Encapsulating a process means that no other

process is able to understand or interact with the internal programming

code of the process

Allows the operating system to provide structured access

to processes that need to use resources according to a

tightly managed schedule

Ensure that each process is assigned a unique identity

within the context of the operating system

Allows each process to have access to its own

memory space as it executes

Enforced through the operating

system’s use of the memory manager

Provide an abstraction level for programmers

Maximize performance with the limited amount

of memory available

Protect the operating system and applications

once they are loaded into memory

Relocation Protection Sharing

Logical organization

Physical organization

Allow the operating system to make sure that a process is only able to interact with the defined

memory segments

Access kernel components only while in kernel mode

ASLR and process isolation

Data execution prevention

(DEP)

Use of ACLs to protect shared

memory

Inspection of sharedcommunication channels thatcould allow two cooperating

processes to transferinformation in a way that

violates the system’s securitypolicy

Cryptographic techniques protect the confidentiality

and integrity of information

Encrypting stored passwords

with hashes, and usingoverstrike masking within

application interface

If there is not enough granularity of security users may be able to gain more

access permission than needed

Development environment

Quality assurance

environment

Application (production) environment

If there are multiple threads of execution occurring at the same time, a TOC/TOU attack is possible

Attack takes advantage of event timing dependencies in a multitasking operating system

To avoid TOC/TOU attacks, the operating system should use software locking

Some of the ways attackers can try to use social influence over users include: Subtle intimidation Bluster Pulling rank Exploiting guilt Pleading for special treatment Exploiting a natural desire to be helpful Appealing to an underling’s subversive streak

Backing up operating system and application software ensures productivity in the event of a system crash

Operation copies of software should be available in the event of a system crash

Analysis of program code to determine or

provide evidence for the intent or authorship of a

program

Examples of threats to resources include:

Disclosure of information

Denial-of-service (DoS)

attacks

Damaging or modifying data

Annoyance attacks

Provides a protective area for program execution

Type-safe language: Method of providing safe execution of programs Ensures that arrays stay in bounds, the pointers are

always valid, and code cannot violate variable typing

Goal is to guarantee integrity, availability, and

usage of the correct version of all system

components

The set of artifacts (configuration items)

under the jurisdiction of CM

How artifacts are named How artifacts enter and leave the controlled set

How an artifact under CM is allowed to

change

How different versions of an artifact under CM are

made available

How CM tools are used to enable and enforce

CM

Protect shared software from unauthorized modification

with policies, developmental controls, and life cycle

controls

Spend a few minutes studying the measuresprovided: Note the ones that will be of particular value in

your organization Note one or more concerns and issues that may

not fit under these measures

Application Programming Interfaces Are the connectors for the Internet of Things (IoT),

allowing our devices to speak to each other The “unknown, unseen force”

A means of expressing specific entities in a system by URL path elements

Allows interaction with a web-based system via simplified URLs

Employ the same security mechanisms for your APIs as any web application your organization deploys

Do not create and implement your own security solutions

Unless your API is a free, read-only public API, do not use single key-based authentication

Do not pass unencrypted static keys

Use HMAC

Basic Authentication

w/TLSOauth1.0a

Oauth2

“RESTful web services should use session-based authentication, either by establishing a session token via a POST

or using an API key as a POST body argument or as a cookie. Usernames

and passwords, session tokens, and API keys should not appear in the URL, as

this can be captured in web server logs and makes them intrinsically

valuable….”

Federal agency mandated to

conduct security certification testing

Certification process is followed with authorization

The revised process emphasizes: Building information security capabilities Maintaining awareness Providing essential information to senior leaders

The risk management process changes the

traditional focus of C&A as a static, procedural activity to a more dynamic approach

Encourages the use of automation

Integrates information security

Emphasizes selection, implementation, assessment, and monitoring of security controls

Links risk management processes at the information-

system level to risk management processes at the organization level

Establishes responsibility and accountability for security controls

Which characteristic(s) embody the dynamic nature of the RMF compared with a more traditional approach?

Why?

Why private organizations may choose certification: Control framework Low overhead Use of standards Includes all aspects of a system’s security

With a partner, discuss why or why not you think it’s a good idea for private organizations to pursue certification.

Systems and network device reporting is

important to the overall health and security of

systems

Are records of actions and events that have taken place on a computer system

Provide a clear view of who owns a process, what action was initiated, when it was initiated, where the action occurred, and why the process ran

Are primary record keepers of system and network activity

The enterprise should have auditing policies in place that

effectively and efficiently collect information regarding critical

events in the form of logs and to manage them appropriately

VMware, Microsoft, Oracle, and Cisco

NIST SP 880-92 Guide to Computer Security Log

Management

NIST SP 800-137 ISCM for Federal Information

Systems and Organizations

CERT-IN Security Guidance CISG-2008-01

Information integrity

Information accuracy

Character checks

Relationship checks

Transaction limits

Information auditing

Risk An event that has a probability of occurring and

could have either a positive or negative impact to a project should that risk occur

•Cause: Reduction in assigned personnel to design a

projectRisk event: The assigned personnel may not be adequate for

the activity Impact: If that event occurs, there may be an impact on

the project cost, schedule, or performance

An ongoing process that continues through the life of a project

Includes processes for: Risk management planning Identification Analysis Monitoring Control

When a risk is identified, it is: 1. Assessed to ascertain:

The probability of occurring The degree of impact to the schedule, scope,

cost, and quality2. Prioritized

The assignment of risk priority is based on: The probability of occurrence The number of categories impacted The degree (high, medium, low) to which they

impact the project

Risk register Document

risk statement

Mitigation steps

Contingency plan

Contingency plans implemented prior to the risk occurring are pre-emptive actions

intended to reduce the impact

Monitor all risks on a scheduled basis

Integrate analysis and strategy into

the SDLC

Use standardized methods

Track and manage weaknesses

Memorialize resultant risk

decisions

Implement policies and procedures to limit the

vulnerabilities by implementing

applicable vendor patches

Ensure a patch management solution is

architected and implemented

Use a Change Control Process

Read All Related Documentation

Testing

Have a Working Backup and Schedule Production Downtime

Always Have a Back-Out Plan

Forewarn Help Desk and Key User Groups

Target Non-Critical Servers First

Not all findings need to be mitigated You must be in a position to provide: The finding How the risk was determined The remediation cost details

Ishikawa Diagrams P-Diagrams

Preliminary Hazard Analysis

(PHA)

Failure Modes and Effect

Analysis (FMEA)

Failure Modes and Effect Criticality

Analysis (FMECA)

Hazard Analysis of Critical Control Points (HACCP)

When mitigations are implemented, they must be tested

Development environments are supported with testing teams and quality assurance

Security findings should be addressed the same as any other change request

Developer or system owner does not declare the risk mitigated without concurrence of an independent verification and validation (IV&V)

• Code signing:‒ A technique that can be used to:

• Ensure code integrity• Determine who developed a piece of code• Determine the purposes for which a developer

intended a piece of code to be used

• Certificates:‒ Digital certificates that will help protect users

from downloading compromised files or applications

Seal Digital signature

Unique identifier

Cannot guarantee that a piece of code is free of security vulnerabilities

Cannot guarantee an app will not load unsafe or altered code during

execution

Is not a DRM or copy protection technology

Whenever developers change or modify their software, even a small

tweak can have unexpected consequences

Tests existing software applications to make sure that a change or addition has not broken any existing functionality

Catches bugs that may have been accidentally introduced into a new build or release candidate

Ensures that previously eradicated bugs continue to stay dead

Test fixed bugs promptly

Test fixed bugs promptly

Watch for side effects of fixesWatch for side effects of fixes

Write a regression test for each bug

fixed

Write a regression test for each bug

fixed

If two or more tests are similar, get rid of the less

effective one

If two or more tests are similar, get rid of the less

effective one

Archive tests that the program

consistently passes

Archive tests that the program

consistently passes

Focus on functional issues, not design issues

Focus on functional issues, not design issues

Make changes to data and find

any resulting corruption

Make changes to data and find

any resulting corruption

Trace the effects of the changes

on program memory

Trace the effects of the changes

on program memory

INSTRUCTIONSWork with a partner to identify at least three more strategies for success.

Develop a standard battery of test cases that can be

run every time a new version of the program is

built

A formal test conducted to determine whether a

system satisfies its acceptance criteria and to

enable the customer to determine whether or not

to accept the system

In agile software development, acceptance tests/criteria are usually: Created by business customers Expressed in a business domain language

“Software assurance is the level of confidence that software is free from vulnerabilities, either intentionally designed into the

software or accidentally inserted at any time during its life cycle, and that it functions

in the intended manner.”

Planning Contracting

Monitoring and Acceptance Follow-on

Needs determination: Develop software requirements Create an acquisition strategy Develop evaluation criteria and an evaluation

plan

Create/issue the solicitation

or RFP

Evaluate supplier

proposals

Finalize contract

negotiation

Establish and consent to the contract work

schedule

Implement change control

procedures

Review and accept software

deliverables

Sustainment Disposal or decommissioning

1. What activities take place during the planning phase?

2. What activities take place during the monitoring and acceptance phase?

Ensure a well-documented SwA policy and process is in place in the enterprise

Unintentional errors

Intentional insertion of malicious code

Theft of vital information

Theft of personal information

Changed product

Inserted agents

Corrupted information

“System and software assurance focuses on the management of risk and

assurance of safety, security, and dependability within the context of system

and software life cycles”

How does the supplier ensure that an infrastructure for safety and security is established and

maintained?

How does the supplier ensure safety and security risks are identified and managed?

How does the supplier ensure safety and security

requirements are satisfied?

How does the supplier ensure that activities and products are

managed to achieve safety and security requirements and

objectives?

Understand the Software Development Life Cycle (SDLC) and how to apply security to itIdentify which security control(s) are

appropriate for the development environmentAssess the effectiveness of software

security

121

Q & A

Terry Dausterrydaus@yahoo.com