SW Security - 5 - Software Security section 2
With usability heuristic, one rule is to match between system and the real world which mean?
System speaks the users' language Follow real world conventions, information appear in natural and logical orders
What is GLBA and its 3 principles?
The Gramm-Leach Billey Act - protection of consumers' personal financial information 3 Principles: + Financial Privacy Rule + Safeguards Rule + Pretexting Provisions
Describe usability heuristic - user control
Users often choose system functions by mistake and will need a clearly marked "emergency exit" to leave the unwanted state without having to go through an extended dialogue. Support undo and redo.
Describe Usability Heuristics: Consistency
Users should not have to wonder whether different words, situations, or actions mean the same thing. Follow platform conventions.
What is WYSIATI ?
What you see is all there is
Describe the main concepts of Children's Online Privacy Protection Act
Applies to the online collection of personal information for those under 13. • Operators must: - Clear and comprehensive online privacy policy - Obtain parental consent - Provide a way for a parent to review collected data - Ensure technical security of collected data
Things to consider at MS SDL Phase 2 :: SECURITY assessment
Ask questions like Which portions of the project will require threat models before release? • Which portions of the project will require security design reviews before release? • Which portions of the project (if any) will require penetration testing by a mutually agreed upon group that is external to the project team? • Are there any additional testing or analysis requirements the security advisor deems necessary to mitigate security risks? • What is the specific scope of the fuzz testing requirements?
Why security features have to be usable?
Because of people who : + an important part of any system + the weakest link and people will: + discard/bypass security features if they are hard to use
The genesis of BSIMM?
Build a maturity model from actual data • 6 verticals (with overlap) - Financial services (42) - Independent software vendors (30) - Cloud (15) - Healthcare (15) - IoT (12) - Insurance (10) • 4 domains • 12 practices • 112 activities
How do we "model people" ?
By +Behavioral study +Cognitive science (WYSIATI) +Heuristic models
Describe Usability Heuristics: Tailor
Flexibility and efficiency of use Allow users to tailor frequent actions.
Define SAFEcode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.
Some good references for phase 2 - Requirements
Security Definitions for Vulnerability Work Item Tracking Security Requirements Questionnaire Secure Code Review Guidance and Code Priority Definitions Bug bar samples Privacy questionnaire samples
MS SDL Phase 4 :: Implementation phase :: Perform Static Analysis
"Code review with a tool" • Search through code to detect bug patterns (error prone coding practices that arise from the use of erroneous design patterns, misunderstanding of language semantics, or simple and common mistakes). • Increasingly being used to identify security vulnerabilities • Faster than manual code review; can be done more often - Sometimes part of a quality gate before checking in code to the code base. • Don't require the tool operator to have a high degree of security expertise
Briefly describe 4 technical requirements of HIPAA
+ Access control: only allowed persons to access PHI + Audit control: record and examine access + Integrity controls: ensure e-PHI is not improperly altered or destroyed + Transmission security: ensure the integrity of in-transit e-PHI
Describe Privacy - Information processing
+ Aggregation (combine data) + Identification (linking info to an individual) + Insecurity (carelessness in protecting stored information from leaks and improper access, vulnerability to future harm) + Secondary use: use info for other purposes than the intended purpose + Exclusion: Failure to allow the person to know about the data collected or to participate in how it is used
MS SDL Phase 7 :: Execute the response plan
+ Alas, some vulnerabilities may be discovered after release + Get ready to execute on response tasks outlined during Security Response Planning
List 4 main technical ways for Privacy Controls
+ Anonymity + Pseudonymity + Unobservability (no one can find of out a user is using a resource or service) + Unlinkability (sender and receiver can't be identified as communicating with each other)
Briefly describe PHI
+ Any health information that can be used to identify patient. + PHI includes: med records, pii, financial info,
Describe Privacy - Information Dissemination
+ Breach of confidentiality + Disclosure + Exposure + Increased accessibility + Blackmail + Appropriation (use info of a person to serve the interests of another) + Distortion
Describe Privacy in context of the C.I.A triad ?
+ Confidentiality: Degree to which the "data is disclosed only as intended" + Integrity: Degree to which a system or component guards against improper modification or destruction of computer programs or data." + Availability: Degree to which a system or component is operational and accessible when required for use."
Common activities in BSIMM Intelligence category
+ Create a data classification scheme and inventory + Build and publish security features + Translate compliance constraints to requirements
List the SDL practices in the MS SDL Phase 6 :: Release
+ Create an incident response plan + Conduct final security review + Certify release and archive
What defines the need for privacy ?
+ The purposes for which people want to conceal the piece of info and the uses that others may make of it + Nature of the information + "State" of the information + Context
List the SDL practices in the MS SDL Phase 3 :: Design phase
+ Establish Design Requirements + Attack Surface Analysis/Reduction + Use Threat Modeling
List 4 domains and 12 practices of BSIMM
+ Governance: Strategy and metrics (SM), Compliance&Policy, Training + Intelligence: Attack Models (AM), Security features & Design (SFD), Standards&Requirements (SR) + SSDL Touchpoints: Architecture analysis (AA), Code Review (CR), Security Testing (ST) + Deployment: Penetration testing, Software Environment (SE), Configuration management & Vulnerability Management (CMVM)
Common activities in BSIMM Governance category
+ IDentify gate locations, and gatehr necessary artifacts + Identify PII obligations + Provide awareness training
The key concepts of the Code of Fair Information Practices
+ No secret PII keeping system People should be + able to know what PII collected and how it's used + able to prevent missuse of their PII (unauthorized 2nd purpose) + amend/correct PII Organizations must be + assure data is being used correctly + able to establish precautions
List some recommended main sections in a Privacy Policy document
+ Notice/Awareness (stated prior to info collection, easy to understand, stated clearly what is being collected) + Choice/consent + Integrity/Security (show how the organizations will protect the info to be collected) + Access/Participation (how info may be accessed, corrected by the user)
List the SDL practices in the MS SDL Phase 5 :: Verification
+ Perform Dynamic analysis + Perform Fuzz testing + Conduct attack surface review
Common activities in BSIMM SSDL Touch points category
+ Perform security feature review + Have SSG perform ad hoc review + Ensure QA supports edge/boundary value condition testing
List some references for MS SDL Phase 4 :: Implementation phase
+ Recommended compilers list + Safe CRT, SDL banned function calls list, SDL banned APIs list + Code analysis tools
List some foundational concepts that should be covered in security training
+ Secure design (attack surface reduction, defense in depth, security principles...) + Threat modeling + Secure coding (buffer overflow, css, injection...) + Security testing + Privacy (best practices, assessments, development...) + Advanced topics such as trusted user interface design, custom threat mitigations, ...
What are the maximum penalties for HIPAA non-compliance (civil level and criminal level)
+ Up to 25 grand for civil penalties + Up to 250 grand and 10 years in prison for criminal penalties
Common activities in BSIMM Deployment category
+ Use external penetration testers to find problems + Ensure host and network security basics are in place + Identify software bugs found in operations monitoring and feed them back to development
List the SDL practices in the MS SDL Phase 4 :: Implementation
+ Used approved tools + Deprecate unsafe functions + Perform static analysis
What are the characteristics of good security training plan?
+ clear connection between base knowledge, interest level, job goals, individual learning style, material presented + Supported by executive management and reinforced as part of the culture + Experienced instructors + Role-based training
The degree of anonymity of statistical data depends on
- Database size - The entropy of the demographic data attributes that can serve as supplementary knowledge for an attacker
Depersonalization means anonymization of data subjects. Describe perfect depersonalization, practical depersonalization and the controls of depersonalization
- Perfect depersonalization: • Data rendered anonymous in such a way that the data subject is no longer identifiable - Practical depersonalization: • The information concerning personal or material circumstances can no longer or only with a disproportionate amount of time, expense and labor be attributed to an identified or identifiable individual - Controls for depersonalization include: • Inference controls for statistical databases • Privacy-preserving methods for data mining
According to Simone Fisher-Hubner, in order to protect confidentiality and integrity of personal data, we can use?
- Privacy-enhanced identity management - Limiting access control - Enterprise privacy policies - Encryption - Specific tools
The entropy of the demographic data attributes depends on?
- The number of attributes - The number of possible values of each attribute - Frequency distribution of the values - Dependencies between attributes
What are Norman's 4 principles of good design?
- The state and the action alternatives should be visible - Should be a good conceptual model with a consistent system image - Interface should include good mappings the reveal the relationships between stages - Users should receive continuous feedback
Failures of Norman's 4 principles of good design will lead to?
- Users can form an inadequate goal - Users might not find the correct interface object because of an incomprehensible label or icon - Users may not know how to specify or execute a desire action - Users may receive inappropriate or misleading feedback
Describe phase 1 - Training in MS SDL
A prerequisite for implementing the SDL. Foundational concepts for building better software include secure design, threat modeling, secure coding, security testing, and best practices surrounding privacy.
What are Norman's seven stages of action?
1. Forming the goal 2. Forming the intention 3. Specifying the action 4. Executing the action 5. Perceiving the system state 6. Interpreting the system state 7. Evaluating the outcome
Briefly describe privacy taxonomy
A loop of : Data subject, information collection, information processing, information dissemination, and invasions
Briefly define what is a Privacy Policy
A natural language description of how information is collected, used, disclosed Written for users of a system and enforced by US regulators
MS SDL Phase 4 :: Implementation phase :: Deprecate Unsafe Functions
Analyzing all project functions and APIs and banning those determined to be unsafe helps reduce potential security bugs with very little engineering cost. Specific actions include using header files, newer compilers, or code scanning tools to check code for functions on the banned list, and then replacing them with safer alternatives.
What Products and Services Should Adopt the Security Development Lifecycle Process?
Any software that: + deployed within an org + deals with PII + deals with children 13 or younger + connect to network/internet, and/or automatically download updates + deals with data from unauthorized sources + deals with ActiveX and/or COM controls
MS SDL Phase 6 :: Release :: Certify release and archive
Certifying software prior to a release helps ensure security and privacy requirements were met. Archiving all pertinent data is essential for performing post-release servicing tasks and helps lower the long-term costs associated with sustained software engineering. Archiving should include all specifications, source code, binaries, private symbols, threat models, documentation, emergency response plans, and license and servicing terms for any third-party software.
List the foundational security practices that must be established once at the start of every new Agile project
Establish security requirements Security & privacy risk assessment Establish design requirements Analyze attack surface Incident response plan
Describe Usability Heuristics: Help
Even though it is better if the system can be used without documentation, it may be necessary to provide help and documentation. Any such information should be easy to search, focused on the user's task, list concrete steps to be carried out, and not be too large.
List Essential security practices that should be performed in every sprint.
Core security training Threat modeling Use approved tools Deprecate unsafe functions Static analysis Final security review Release archive
List the foundational security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime
Create quality gates/bug bars Dynamic analysis Fuzz testing Attack surface review
Things to consider at MS SDL Phase 2 :: Create quality gates/bug bars
Define and document a bug bar for security and privacy - Classification of what are moderate, important, or critical security and privacy bug types - User to set priority for fixing and to determine if the product can ship • Ensure that bug reporting tools can track security and privacy issues and that a database can be queried dynamically for all security bugs
Briefly describe MS SDL Phase 2
Defining and integrating security and privacy requirements. This phase helps make it easier to identify key milestones and deliverables and minimize disruptions to plans and schedules. Create Quality gates/bug gars Perform security and privacy risk assessments
Describe Usability Heuristics: "Just the Facts"
Dialogues should not contain information which is irrelevant or rarely needed.
Describe Usability Heuristics: Prevent Errors
Either eliminate error-prone conditions or check for them and present users with a confirmation option before they commit to the action.
Describe the k-anonymity problem
Given person-specific field-structured data, produce a release of the data with scientific guarantees that the individuals who are the subjects of the data cannot be re-identified while the data remain practically useful. For each person, they can't be distinguished from k-1 others.
What is HIPAA and its major components?
HIPAA = Portability and Accountability Act (HIPAA). Main components: • Protection for the PRIVACY of Protected Health Information (PHI) • Protection for the SECURITY of Protected Health Information • Standardization of electronic data interchange in healthcare transactions
Describe Usability Heuristics: Recoverability
Help users recognize, diagnose, and recover from errors
MS SDL Phase 5 :: Verification :: Perform Fuzz testing
Inducing program failure by deliberately introducing malformed or random data to an application helps reveal potential security issues prior to release while requiring modest resource investment. Fuzz testing is black box testing. Fuzz testing tools are available. The tools find opportunities for input and will send attack strings.
Things to consider at MS SDL Phase 2 :: PRIVACY assessment
Initial Privacy Impact Rating (PIR) - Stores personally identifiable information (PII) on the user's computer or transfers it from the user's computer (P1) - Provides an experience that targets children or is attractive to children (P1) - Continuously monitors the user (P1) - Installs new software or changes file type associations, home page, or search page (P1) - Transfers anonymous data (P2) - None of the above (P3)
Describe Privacy - Invasions
Intrusion: Invasive acts that disturb one's tranquility or solitude Decisional Interference: Restrict the ability of the individual to make his or her own choices
Describe Usability Heuristics: Reduce Memory Load
Minimize the user's memory load by making objects, actions, and options visible. The user should not have to remember information from one part of the dialogue to another. Instructions for use of the system should be visible or easily retrievable whenever appropriate.
MS SDL Phase 6 :: Release :: Create an incident response plan
Preparing an Cyber Security Incident Response Plan (CSIRP) is crucial for helping to address new threats that can emerge over time. It includes identifying appropriate security emergency contacts and establishing security servicing plans for code inherited from other groups within the organization and for licensed third-party code. + Identify contact for Cyber Security Council and resources to respond to incidents + 24x7x365 contact information for engineering, marketing and management individuals with decision-making authority
MS SDL Phase 3 :: Design phase :: Attack Surface Analysis/Reduction
Reducing the opportunities for attackers to exploit a potential weak spot or vulnerability requires thoroughly analyzing overall attack surface and includes disabling or restricting access to system services, applying the principle of least privilege, and employing layered defenses wherever possible.
MS SDL Phase 5 :: Verification :: Conduct attack surface review
Reviewing attack surface upon code completion helps ensure that any design or implementation changes to an application or system have been taken into account, and that any new attack vectors created as a result of the changes have been reviewed and mitigated including threat models. • Inevitably, the code won't match the initial design • Use Attack Surface Analyzer (ASA) to analyze actual attack surface • Take corrective action if risks are revealed by this analysis
MS SDL Phase 5 :: Verification :: Perform Dynamic analysis
Run-time verification necessary to ensure a program's functionality works as designed • Black box testing: testing proceeds without knowledge of the code • Proper functioning of security features - Authentication - Encryption - Privacy controls
MS SDL Phase 4 :: Implementation phase :: Use approved tools
Specification of approved build tools and options - Compilers and code generators - Static analysis - Debuggers - Dynamic analysis - Test verification - IDE • Decide on settings and ensure settings are correct • Security isn't static - Update your tools because they change with dynamic threat environment
Describe OWASP SAMM
The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. • SAMM helps you: - Evaluate an organization's existing software security practices - Build a balanced software security assurance program in well-defined iterations - Demonstrate concrete improvements to a security assurance program - Define and measure security-related activities throughout an organization
Briefly describe the right to privacy
The right to keep a domain around us (our body, things, property, thoughts, feelings, secrets and identity). The right to privacy allows us to choose which part in this domain can be accessed by others, and to control the extend, manner and timing of the use of those parts.
MS SDL Phase 3 :: Design phase :: Use Threat Modeling
Threat modeling is a process to understand (potential) security threats to a system, determine risks from those threats, and establish appropriate mitigations.
What are the phases in Microsoft's Security Development Lifecycle?
Training > Requirements > Design > Implementation > Verification > Release > Response
Taxonomy of pseudonyms w.r.t. their function
i) Personal pseudonyms » Public personal pseudonyms / Nonpublic personal pseudonyms / Private personal pseudonyms ii) Role pseudonyms » Business pseudonyms / Transaction pseudonyms
Taxonomy of pseudonyms w.r.t. their generation
i) Self-generated pseudonyms ii) Reference pseudonyms iii) Cryptographic pseudonyms iv) One-way pseudonyms
Some examples of PHI
name, geo subdivision, dob, phone number, SSN, medical record number, health plan number, acc number, certificate/license number, vehicle number, device serial number, URLs, ip, bio identifiers, photos, full face photograph, etc
under development
under development
What is BSIMM ?
• A study of real-world software security initiatives, a reflection of the current state of software security. • The most important use of the BSIMM is as a measuring stick to determine where your approach to software security currently stands relative to other firms. • "...does not tell you what you should do; instead, it tells you what everyone else is actually doing."
Recommendations for Phase 1 - training
• Assess organizational knowledge on security and privacy, establish training program as necessary • Establish training criteria (content covering secure design, development, test and privacy • Establish minimum training frequency (employees must attend n classes per year) • Establish minimum acceptable group training thresholds (e.g. 80% of all technical personnel trained)
Describe threat modeling for privacy
• Combined security/privacy threats: - Surveillance - stored data compromise - misattribution • Privacy threats: - Correlation - Identification - secondary use - Disclosure - exclusion (unawareness)
MS SDL Phase 3 :: Design phase :: Establish Design Requirements
• Consider design principles, such as: - Least privilege - Compartmentalization - Validate/sanitize external input to the system - Log/audit system and data access - Reuse security components and libraries - Secure the weakest link • Leads to specification of: - Secure architecture - Identification of security critical components - Secure functional requirements - Security features (i.e. use of cryptography)
Technical ways to do depersonalization?
• Data Masking • Generalization • Suppression • Noise addition - Differential privacy
Things to consider at MS SDL Phase 2 :: Defining and integrating security and privacy requirements
• Development team identifies security and privacy requirements • Development team identifies lead security and privacy contacts • Security Advisor and Privacy Advisor assigned • Security Advisor reviews product plan, makes recommendations, may set additional requirements
Usability is a quality attribute that assesses how easy user interfaces are to use. Define 5 main components of usability
• Learnability: How easy is it for users to accomplish basic tasks the first time they encounter the design? • Efficiency: Once users have learned the design, how quickly can they perform tasks? • Memorability: When users return to the design after a period of not using it, how easily can they reestablish proficiency? • Errors: How many errors do users make, how severe are these errors, and how easily can they recover from the errors? • Satisfaction: How pleasant is it to use the design?
MS SDL Phase 6 :: Release :: Conduct final security review
• Provide an independent view into "security ship readiness" • The Final Security Review (FSR) is - An examination of all SDL activities performed prior to release - Examination of threat models - Review of exception requests, security tool output, performance against bug bars • The Final Security Review (FSR) is NOT: - A penetration test - no "penetrate and patch" allowed - The first time security is reviewed - A signoff process - A "catchall" phase for missed work in earlier phases • Key concept: The tasks for this phase are used as a determining factor on whether or not to release
Why Phase 1 - Training is mandatory?
• Security knowledge is lacking in general - Historically not taught in universities - Barely taught in universities now • The attackers are getting smarter every day, security is a moving target, annual training is necessary • Need to cover all the topics in the SDL • Softwares are full of bugs • ROI is higher with trained work force
When to Work on Usability?
• Test the old design • Test your competitors' designs • Conduct a field study • Make paper prototypes • Refine through multiple iterations - Move from low-fidelity prototyping to high-fidelity representations - Test • Inspect the design relative to established usability guidelines • Once you decide on and implement the final design, test it again.
According to James Reason, errors can occur at the levels of : skill-based, rule-based, and knowledge-based. Further describe each level
• skill-based (SB): slips and lapses, usually errors of inattention or misplaced attention • rule-based (RB): mistakes - usually a result of picking an inappropriate rule - caused by misconstrued view of state, over-zealous pattern matching, frequency gambling, deficient rules • knowledge-based (KB): misunderstanding - due to incomplete/inaccurate understanding of system, confirmation bias, overconfidence, cognitive strain, ...
Briefly describe the GLBA principles of + Pretexting Provisions
•The Pretexting provisions protect consumers from individuals and companies that obtain their personal financial information under false pretenses such as: • Linked to identity theft • Often social engineering