Domain 8 - Software Development Security

regardless the language used, all instructions and data have to end up in a binary format the processor understand, goes through transformation through the assemblers - convert assembly language source code into machine code. compliers - convert high-level (source language) statements into the necessary machine-level format (.exe, dll) for processors to understand. C++ interpreters - program in different uses interpreter to convert high-level code to machine code .NET. improve portability. ie. Java uses Java Virtual machine the interpreter converts the byte code into a machine-level format for execution. benefits: platform independence and memory management functions are part of interpreter. disadvantage: cannot run as standalone application, requires interpreter to install on local machine.

Assemblers

identify and reduce the amount of code and functionality accessible to untrusted users by: reducing code running, reduce entry points available to untrusted sources, reduce privilege levels, eliminate unnecessary service. (design phase)

Attack surface

central collection of data element definitions, schema objects, and reference keys. centrally manage parts of database by controlling metadata within the db. provides cross reference between groups of data elements and the databases.

Data dictionary

contains all commands that enable a user to view, manipulate, and use database (view, add, modify, sort, and delete commands.)

Data manipulation language (DML)

executes a program, or string of code, when a certain set of conditions is met

logic bombs

application programming interface - software components interact with other software components. reuse, maintainable by localizing changes that need to be made while eliminating cascading effects of fixes or changes. libraries- collection of components that do specific things useful to other components. reduces amount of new code needs to be developed,

API

ADO API allows apps to access back-end database system. a set of ODBC interfaces that exposes the functionality of data sources through accessible objects. uses OLE BD interface to connect the database. use in web applications and other client/server app. characteristics -high-level data access programming interface to an underlying data access technology (OLE DB) -set of COM objects for accessing data sources, not database -SQL command not required

ActiveX Data Objects

Scrum- lean and customer focused. team collaboration, customer involvement, and continuous delivery. sprint, backlog for features. Extreme programming - no backlog, no sprint. continuous reviews of code accomplished by pair programming, which on programmer dictates the code to the other programmer, when then types it. another eyes reduces the incidence of errors and improve quality. reliance on test-driven development, unit tests are written before the code. Kanban - visual tracking of all tasks to help prioritize at point in time to deliver the right feature at the right time.

Agile

heterogeneity: diversity of both sources and structures of the data (free text and images) complexity: interrelationships between images that are trending variability: some sources produce nearly constant data while other sources produce data much more sporadically reliability: sources may be unreliable volume: big big data is stored in specialized systems like data warehouses and is exploited using approaches such as data mining.

Big data

Computer-aided software engineering: tools used to automate development of software

CASE

capability maturity model integration comprehensive, integrated set of guidelines for developing products and software. procedures, principles, practices that underlie software development process. evolutionary path from ad hoc to more disciplined and repeatable method of improve software quality, reduces the life cycle of dev. goal: continue to review and improve upon the processes to optimize output, increase capabilities, and provide higher-quality software at a Lowe cost through implementation of continuous improvement.

CMMI

1.Initial - dev process is ad hoc or even chaotic. not use effective management procedures and plans. no assurance consistency, quality unpredictable. 2. Repeatable - formal mgmt structure, change control, quality assurance in place. repeat processes. no formal processes models defined. 3. Defined - formal procedures are in place that outline and define processes carried out in each project. has way to allow for quantitative process improvement. 4. managed- formal processes in places to collect and analyze quantitative data, and metrics are defined and fed into the process improvement program 5. Optimizing - has budgeted and integrated plans for continuous process improvement

CMMI Levels

common object request broker architecture provides interoperability among other software, platforms, and hardware to communicate. enables apps to communicate with one another no matter the app are located and who developed them. defines APIs, communication protocol, and client/server methods. complete distributed environment. has two main parts: system-oriented components (object request broker (ORB) and object services) and application-oriented components (application objects and common facilities)

COBRA

is the process of controlling the Changs that take place during the life cycle of a system and documenting the necessary change control activities. establish at beginning of project. changes MUST be approved, documented, and tested. processes should be evaluated during system audits.

Change control

reflects how many different types of tasks a module can carry out. higher cohesion is good - easy to update and modify without affecting other modules that interact with it. same tasks = high cohesion. one task ore similar. low cohesion = different tasks and increases complexity of the module

Cohesion

Objects shuold be self-contained and perform a single logical function, which is high cohesion. Object should not drastically affect each other, which is low coupling.

Cohesion and coupling

COM allows for interprocess communication within one application or between application on the same computer. Created by microsoft to interact with Windows ops and diff app developed for this platform. Distributed components object model - COM enables apps to use components on the same systems, while DCOM enables apps to access objects that reside in different parts of a network. has library that takes care of session handling, synchronization, buffering, data format translation,. works middleware that enable distributed processing and provides communication across all network. distributed inter processing.

Component Object Model

when there is a data that will be accessed and modified at the same time by different users and/or apps. lock is in place to ensure concurrency issue do not cause problem. locks tables within database, make changes, and then release software lock. ensure two processes do not cases the same table at the same time.

Concurrency

measurement that indicates how much interaction one module requires to carry out its task. low (loose) coupling means module does not need to communicate with many other modules to carry out its job. more desirable. easier to reuse and change. create well-structured module high (tight) coupling means module depends upon many other modules to carry out its tasks.

Coupling

inject malicious code into a web application in client-side leads to stolen cookies, hijacked sessions, malware execution, bypassed access controls, or aid in exploiting browser vulnerabilities. nonpersistent - reflected vulnerabilities - occurs when attacker tricks victim into processing a ULR programmed with a rogue script to steal victim's sensitive info. exploit lack of input/output validations on dynamic website. persistent - stored or second-order vulnerability. allow users to input stored in a DB or any other location (forum, message board, guest books). readers views post and malicious javascript execute DOM (document object model) local cross-site scripting - attacker documents components such as form fields and cookies can be referenced through javascript. modify original client-side javascript.

Cross-site scripting

antimalware files that contain updates (new signatures) are called DAT files, it's just a data file extension .dat.

DAT files

database management system is a suite of programs used to manage large sets of structured data with ad hoc query capabilities for many types of users. can also control the security parameters of the database.

DBMS

defines structure and schema of the database. structure could mean the table size, key placement, views, data relationship element. schema describes the type of data that will be held and manipulated and their properties. defines structure of the database, access operations, and integrity procedures.

Data Definition Language (DDL)

process of analyzing a data warehouse using tools that look for trends, correlations, relationships, and anomalies without knowing the meaning of the data. data goes into a data warehouse and metadata comes out of that data warehouse. known as knowledge discovery in database (KDD), and is combination of techniques to identify valid and useful patterns. classification: group together data according to shared similarities probabilistic: identify data interdependence and applies probabilities to their relationships statistical: identifies relationships between data elements and users rule discovery

Data mining

relational -uses attributes (columns) and tuples (rows) to contain and organize info. hierarchical network object-oriented object-relational

Database models

interact and communication mechanisms. Open database connective (ODBC) - API communicates with database locally or remotely. Object linking and embedded database (OLE DB) ActiveX Data Objects (ADO)

Database programming interfaces

aggregation - the act of combining info from separate sources, the combination of the data forms new info, which the subject does not have the necessary right to access. the combined info has a sensitivity that is greater than that of the individual parts. inference - intended results of aggregation. lower security level indirectly portrays data at a higher level. ability to derive information not explicitly available.

Database security issues

Software requirements come in three models go into design requirement. what comes out of design Is the data, architectural=, and procedural design. -Informational - dictates info to be processed and how it will be processed -functional- outlines the tasks and functions the app needs to carry out -behavioral - explains the states the app will be in during and after specific transitions take place Security required for this phase: attack surface analysis threat modeling

Design Phase

Break and fix - no real plan up front. flaws are reactively dealt with after release Waterfall - very rigid, sequential approach requires each phase to complete before next begin. difficult to integrate changes. inflexible V-model - emphasizes verification and validation at each phase and testing to take place throughout the project, not just at the end Prototyping - creating a sample or model of the code for proof-of concept purposes incremental - multiple development cycles are carried out on a piece of software throughout its development stages. each phase provides useable version of software. spiral - iterative approach that emphasizes risk analysis per iteration . allows customer feedback to be integrated through flex evolutionary approach RAD - combines prototyping and iterative development procedures with the goal of accelerating the software development process Agile - iterative and incremental development processes that encourage team-based collaboration. flexibility and adaptability are used instead of a strict process structure Exploratory - clearly defined project objectives have not been presented. relies on covering a set of specification likely after the final product functionality. JAD - uses team approach like workshop oriented environment. including members other than coders in the team. Reuse - gradually modifying pre-existing prototypes to customer specification Cleanroom - attempts to prevent errors or mistakes by following structured and formal methods of developing and testing. high quality and mission critical application for strict certification process

Development Models

Build and fix - no architecture design carried out, development takes place immediately with little planning involved. problems dealt with as occurs. no formal feedback. not proactive method of ensuring quality. quick release with many issues waterfall - linear-sequential life-cycle. all requirements gathered in the initial phase with no way to integrate changes. rigid approach and not effective for complex project. V-shaped - similar to water, lays out a sequential path of execution processes. each phase must completes before the next begin with testing built in throughout the development phases. rigid, not integrate iterations of phases, no risk analysis activities Prototyping - sample of software code or model that can be developed to explore specific approach to a problem before investing expensive time and resources. 3 types of prototyping rapid evolutionary operational Incremental- each incremental phase results in a deliverable that is an operational product. working version of software is produced after the first iteration add that version is improved upon each of the subsequent iterations. flexible, finish product at each stage. works best risk, program complexity, funding and functionality need to be understood early. customer feedback early. Spiral.- iterative approach, place emphasis on risk analysis. 4 main phases: determine objectives, identify and resolve risks, development and test, plan the next iteration. allows new requirements to be addressed as they are uncovered. RAD - rapid application development - analysis and quick design - build, demonstrate, refine - testing, implement. allows customer involvement Agile: focuses on incremental and iterative development methods that promote cross-functional teamwork and continuous feedback mechanisms. small increments of functional code that are created based on business need. focus on individual interaction instead of process and tools. Use story.

Development Models

Java applets - down and contained in a sandbox virtual environment, restricts resources waiting the users' computer. Not always stayed within sandbox is a security concern. ActiveX - Microsoft - comes in component container feature that allows multiple application and networked computers to reuse active components. unlike Java, ActiveX downloaded to hard drive gives greater access to eh user's system compared to java applets. authenticode technology relies on digital certificate and trusting certificate authorities.

Different Mobile code

DCE - developed by OSF (open group). client/server framework - integrate and share between heterogeneous system. provides Remote Procedure Call (RPC) service, security service, directory service, time service, and distributed file support. management service with communication based on RPC, sits on top of network layer and provide services to application above it. clock synchronization. DCOM uses globally unique identifier (GUID) while DCE uses universal unique identifier (UUID). RPC collects the argument and commands from the sending program and prepares them for transmission over the network.

Distributed computing environment

DCE was first attempted at providing client/server distributed computing capabilities and worked mainly in unix-based COBRA allows interoperability and distributed computing mostly non-microsoft apps DCOM software that needed to work in a distributed computing environment in Microsoft products, .NET framework Java EE large enterprise-wide application that used upon java can carry out distributed computing SOA - web-based distributed computing happens throughout web services and SOA framework Same goal - allow a client app component on one computer to be able to communicate with a server app on another computer.

Distributed computing types

evaluation program in real-time, when it is running after cleared static analysis. advantage is to eliminate the need to create artificial error-inducing scenarios. effective for compatibility testing detecting memory leakages, and identifying dependencies, analyzing software without have to access its actual source code

Dynamic analysis

testing technique to discover flaws and vulnerabilities by sending large amount of malformed, unexpected, or random data to the target program in order to trigger failures.

Fuzzing

C language could be vulnerable to buffer overrun and format string errors. library does not check for length of the strings of the data they manipulate by default. Garbage collector automated way for software to carry out part if its memory management tasks. identifies blocks of memory that were once allocated but are no longer in use and deallocate the blocks and marks them as free. gather free blocks o memory and combine them into larger blocks. no garbage collector, attacker can carry out DoS.

Garbage collector

prevent users from getting access to the inferable information through Content-Dependent access control - based on sensitivity of the data. more sensitive data, smaller the subset of individuals who can access the data. Context-dependent access control - software understands what actions should be allowed based upon the state and sequence of the request. track previous access attempts by the users and understand what sequence of access steps are allowed. cell suppression - hide specific cells that contain info that could lead to inference attacks. partitioning - dividing db into different parts, harder to find connecting pieces of data that can be put together. noise and perturbation - inserting bogus data info in hopes of misdirecting or confusing

Inference Controls

a multidisciplinary development team that has right business stakeholder representation in every phase of the development as formal team. inward facing. IPT is a management technique, not development methodology. DevOps - incorporate dev, IT, and quality assurance staff into software development project to align their incentives and enable efficient and reliable releases of software products. DevOps changing culture of org. identify potential defects, vulnerabilities, friction early in the process to address proactively. increase trust, job satisfaction, morale booster.

Integrated Product Team

rollback - changes are cancelled and the db returns to its previous state. Commit - changes are made and reflected in the database savepoints - return to a point where system crashed or failed. checkpoint - similar to savepoint, but check initiated when database fills with certain memory. restore the users' working environment to its previous state. two-phase commit - sends out a pre-commit command to each database. if DBs respond with an acknowledgement, then the monitor sends out a commit commend to each database.

Integrity operations

DB software performs 3 main types of integrity services: Semantic - mechanism make sure structural and semantic rules are enforced. referential - all foreign keys reference existing primary keys. no foreign key contains a reference to a primary key of a nonexistent record, or a null value entity - guarantees that the tuples are uniquely identified by primary key values. very tuple contains one primary key. if it doesn't have a primary key, it cannot be referenced by the database. cannot contain unmatched foreign key value.

Integrity services

JDBC an API allows Java app to communicate with DB. bridge through ODBC or directly to the database.

Java Database connectivity (JDBC)

java platform enterprise edition defines client/server model distributed computing, goal of interoperability. it takes advantage of "write once, run anywhere" capability. based on COBRA. scalability, concurrency, transactions, and various security services for the clients.

Java EE

code that can be transmitted across a network, to be executed by a system or device on the other end

Mobile code

provides an interface to allow applications to communicate with different data sources.

OLE DB

separates data into components that run as middleware on a client or server. provides low-level interface to link information across different databases and access to data no matter where it located or how it's formatted. characteristics: replacement for ODBC a set of COM-based interfaces OLE DB is limited to being used by MS and use through ActiveX Data Objects

OLE DB

implement ACID Atomic - divides transactions into units of work and ensures that all modifications take effect or none takes effects. changes are committed or database is rolled back. consistency - must follow integrity policy isolation - transactions execute in isolation until completed, without interacting with other transactions. results of modification are not available until transaction is completed. durability - once transactions is verified as accurate on all systems, it is committed and the database cannot be rolled back.

OLTP characteristics

object oriented analysis - process of classifying objects that will be appropriate for a solution use in application. Object oriented design - creates representation of a real-world problem and maps it to a software using OOP. design that modularizes data and procedures; the design interconnects data objects and processing operations

OOA OOD

method is function or procedure an object can carry out. encapsulate - information packaged under one name and can be reused as one entity by other objects. messages - objects communicate with each other by messages sent through receiving object's API. can have single (1-to-1) or multiple connections (1-to-many). shared - object can have shared or private portion. shared portion is interface (API) enables to interact with other components. Private is how it actually works and performs the objects. data hiding - details of the process are hidden from all other program elements outside of the object. provided by encapsulation, which protects and object private data from outside access. no object allowed to, or hav the need to, access another object's internal data or process. abstraction - capability to suppress unnecessary details so the important, inherent properties can be examined and reviewed.

OOP terminology

object requested broker - manages all communication between components and enables them to interact in a heterogeneous and distributed environment. enables different components throughout a network to communicate and work with each other. sits between different COBRA client application and manages communications. middleware that allows client/server communication to take place between objects residing on different systems

ORB

OLE - provides a way for objects to be shared on a local personal computer and to use COM as their foundation. OLE enables objects such as graphic and clipart into document. the capability for one program to call another program is called linking. the capability to place a piece of data inside a foreign program or document is called embedded.

Object lining and embedding

works with classes and objects. generate code is aka Instantiated. object belongs to a class and takes not eh attributes of that class. Benefits: Modularity - building blocks autonomous objects, cooperating through the exchange of messages. Deferred commitment - internal components of an object can be redefined w/o changing other parts of the system Reusability - classes are reused by other programs, may be refined through inheritance Naturalness - analysis, design, and modeling map to business needs and solutions

Object-Oriented Programming

OLTP when databases are clustered to provide fault tolerance and higher performance. ensure transactions either happen properly don't happen at all. if one transaction fails, the rest of the operations needs to be rolled back to ensure only accurate data is entered into database. records transactions as they occur (in real time) updates more than one database in a distributed environment.

Online transaction processing

process of interactively producing more detail versions of objects by populating variables with different values or other variables. often used to prevent inference attacks. an alternative approach to deny access when a lower-level user attempts to access a higher-level object. table that contains multiple tuples with the same primary keys, with each instance distinguished by a security level.

Polyinstantiation

create viable that can be used in different forms. application determines what form to use during execution aka run-time. two objects can receive the same inout and have different outputs. takes place when the different objects respond to the same command, input, or message in different ways.

Polymorphism

created after completion of risk assessment. indicates the sensitivity leave if data that will be processed or accessible. P1. High Privacy Risk - feature, product, service stores or transfers PII. ongoing transfer of anonymous data, changes settings of file type associations P2, Moderate - one-time, user initiated anonymous data transfer. P3, Low - no anonymous or PII transferred, stored.

Privacy Impact Rating

Generation 1 - Machine learning (binary) 2- Assembly - low level, uses symbols (mnemonics) 3-High-level - use abstract statements (if, then, else) use compliers and interpreters 4-very high level- enhanced natural language (algorithms and function statements) 5-natural language - eliminate the need for programming expertise and instead use advanced knowledge based processing and artificial intelligence.

Programming Language

focused on minimizing the number of errors = software will have fewer vulnerabilities and be more secure

Quality

enables users to make requests of the database

Query language (QL)

most database languages include -data defintion language (DDL) defines the schema -data manipulation language (DML) examines data and defines how the data can be manipulated within the database -data control language (DCL) - defines the internal organization of the database -ad hoc query language (QL) - defines queries that enables users to access the database within the database

Relational Database Components

produces printouts of data in a user-defined manner

Report generator

attempts to understand why project is needed and what the scope of project entails. A conceptual definition of project should be initiated and developed. Security required for this phase: Security requirements (CIA) Security risk assessment (threats and consequences) privacy risk assessment (data sensitivity level, leads to Privacy Impact Rating) risk-level acceptance (mitigation efforts are prioritized)

Requirement Gathering Phase

Requirements gathering: security risk assessment privacy risk assessment risk level acceptance info, functional, and behavioral requirements Design Attack surface analysis Threat modeling Development: automated CASE tools Static analysis Testing/validation Dynamic analysis Fuzzing Manual testing unit, integration, acceptance, regression Release/maintenance final security reviews

SDLC and security

putting repeatable and predictable process in place to help ensure functionality, cost, quality, and delivery scheduled requirements are met. Requirements gathering - why create, what will do, for whom Design- how to software will accomplish the goal Development- programming Test/validation-works as planned Release/maintenance - properly config, patched, monitored

SLDC

Simple Object Access Protocol allows communication over web-based for apps running on diff OS that were written in diff programming language. XML-based protocol that encodes the messages in a web service environment. defines XML schema and how objects communicate directly. advantage gets through firewall because HTTP.

SOAP

drawn at the beginning of a development project and integrated into the functional plan, should have a reference section for detailed docs

Security Plan

SOA - application access one centralized place that approves the functionality they require. sends to service broker - basically a map of all the services available within specific environment SOA, usually provides through web service. using web-based communication Simple Object Access Protocol (SOAP). Web service description language (WSDL) provides machine-readable description of the specific operations provided by the service. Universal description discovery integration (UDDI) is an XML-based that list the available services. UDDI all businesses to publish their services and others to discover and use these services. Through UDDI, the broker can provide access to the WSDL document.

Service-oriented architecture

software product during its development life cycle, a config management system can be put into place that allows for change control processes to take place through automation. maintaining integrity and traceability of changes throughout SDLC. concurrency management, versioning, synchronization.

Software configuration management

describes product and customer requirements. ensures that requirements are properly understood and assumptions are not made. prevents scope creep.

Statement of Work (SOW)

technique to help identify software defects or security policy violations and is carried out by examining the code without executing the program and before the program is compiled. scalable method of code review and ensures coding policies are being followed vs. manual inspection.

Static Analysis

Unit testing - testing individual components in a controlled environment whee programmers validate data structure, logic, boundary conditions Integration - verify components work together as outlined in design specifications Acceptance - ensure code meets customer requirements Regression - after change to system takes place, retesting to ensure functionality, performance, and protection (testing/validating phase)

Testing Types

unit testing - ensuring the quality of individual code modules or classes. test-driven development - test in parallel with coding. purpose -testing is to isolate each part of the software and show that the individual parts are correct. map security risk to cases and code. run security tests test environment should mirror prod.

Testing and validation phase

Verification determines if the produce accurately represents and meets the specification. did we build the product right. Validation - determines if the product provides the necessary solution for the intended real-world. did we build the right product?

Verification

systematic approach used to understand how different threats could be realized and how a successful compromise could take place. think through potential activities can happen at different input and output points of the software and the types of compromises that can take place within the software (design phase)

Threat modeling

administrative interfaces - disable interfaces, use out-of-bound (separate channel of communications to avoid vulnerability), SSH authentication and access control - use secure and encrypted mechanism TLS. input validation - use client validation; attacks: -path or directory traversal - dot dot dash to root directory -unicode encoding - different character (%) to root directory -URL encoding - bypass filtering techniques -cross site scripting parameter validation - values/variables defined limits before server app process them within system session management - assign unique session ID to every connection. uniquely identifies client to server or app. Random assigning session ID is better than sequential ID to prevent session ID prediction. timestamp or time-based validation prevent replay attack.

Threats for web environments

disguise as another program. malware. commonly used out various types of online banking fraud and ID theft. Remote access trojans (RATs) are malicious programs that run on system and allow intruders to access and use a system remotely. once loaded, attacker download or upload files, send commands, monitor user behaviors, install zombie software.

Trojan horses

Pillars 1 - analyze website architecture. clearer and simpler a website, easier to analyze security aspects/ 2 - user generate input must be analyzed. 3 - output generated should be filtered to ensure PII data is not being disclosed 4- use encryption and key 5- designed to behave in a predictable way, failing securely. display friendly message with display system details 6-maintian state of equilibrium between security and functionality

Web app security principles

software that automatically generates advertisements be provided through pop-ups, user interface components, or screens presented during installation of updates of other products. profit driven instead of malicious intent

adware

stand-alone antimalware policy or have one incorporated into an existing security policy. standards outlining what to install and how to config. info ad expected user behaviors integrate into the security-awareness program, along with contacts to report. covers do's and dont's.

antimalware program

uses signature to detect malicious code. signatures sometimes aka fingerprints. signature-based detection (fingerprint detection) heuristic detection - analyze overall structure of the malicious code, evaluate the coded instructions and logic functions, and looks at the type of data within the virus or worm. once a predefined threshold is met, the code is officially considered dangerous and antimalware protect the system. this allows antimalware to detect unknown malware instead of just relying on signature.

antimalware software

next phase of antimalware allows suspicious code to execute within the operating system unprotected and watch its interaction with the OS, looking for suspicious activity. in order for it to work, malicious code must actually execute in real time.

behavior blocking

short for robot and is a piece of code that carries out functionality for its master, who could be the author of the code. type of malware, lies dormant(zombie code) and wait for command instructions for activation. collection of compromised systems is referred as botnet. owner is referred to as bot herder, controls remotely through internet relay chat (IRC) protocol. pass through HTTP or IRC. servers that send bots instructions and manage botnets are command-and-control servers. fast flux is an evasion technique to hide the phising and malware delivery sites that are using.

botnets

combination of functionality, data, and presentation capabilities of tow more sources to prod some type of new service or functionality

mashup

data independently both the way the data is processed and the components that processes that data. follows an input value from beginning to end and verifies that the out is correct. OOA. databases - provides insight into the data and the relationships that govern it. pointers point to the right place.

data modeling

representation of the logical relationship between elements of data. dictates the degree of association among elements, methods of access, processing alternatives, and org data elements. hierarchical structure.

data structure

ensure consistency among the data easier backup procedures transaction persistence (carrying transaction are durable and reliable) recovery and fault tolerance sharing of data with multiple users security controls that implement integrity checking, access control and necessary level of confidentiality

database characteristics

virtual machine or sandbox. they the same thing - a piece of memory that's segmented and protected so that if the code is malicious, the system's protected. reviewing info about a piece of code is called static analysis, while allowing a portion of the code to run in a virtual machine is called dynamic analysis. They are both considered heuristic detection methods.

emulation buffer

combines records and fields that are related in a logic tree structure. can have child, no child, or children. useful for mapping one-to-one relationship. not flexible in creating relationships. first types of database model created. no indexes and links between branches and leaves on different layers. use in LDAP

hierarchical database model

another approach to antimalware would make it look as though a file, program, or disk already infected. an immunizer attaches code to the file or app, which would fool a virus into "thinking" it was already infected. this would cause the virus to not infect the file or app and move onto the next file

immunization

itself provides protection mechanisms, such as garbage collection, memory management, validating address usage, and component that verifies adherence to predetermined rules.

java language

piece of malicious software that can compromise systems, designed to carry out a wide range to malicious activities such as to obtain sensitive info, gain unauthorized access to systems,

malware

common for malware to have 6 elements: insertion - install itself on the victim's system avoidance - use methods to avoid being detected eradication - removes itself after the payload has been executed replication - make copies of itself and spreads to other victims trigger - use an event to initiate its payload execution payload - carries out its function ( delete files, installs a back door, exploit a vulnerability)

malware component

built upon hierarchical database model. have multiple parents and child records. redundant network-like structure instead of street tree structure (hierarchical), uses records and sets. records contain fields.

network database model

designed to handle a variety of data types (images, audio, documents, video) object-oriented database management system (ODBMS) more dynamic than relational. has classes to define the attributes and procedures for objects. return not only data but code to carry out procedures on this data. not dependent on SQL for interaction.

object oriented database

object relational database or ORDRMS is a relational database with a software front end that is written in an object oriented programming language. application accesses database does not need to contain procedures necessary.

object relational database

passing cookies to client to help remember things about the state of the connection known as session cookies or locally as file called persistent cookie to pass state info back to server. accessing cookies in memory. countermeasure - adequate parameter validation: pre-validation: input controls verifying data is in inappropriate format and compliant with app specifications prior to submission to the app. post-validation: ensuring an app's output is consistent with expectations (within predetermined constraints of reasonableness)

parameter validation

when system is successfully compromised, an attacker may attempt to elevate its privileges to obtain administrator - or root user - level access. once achieved, attacker can upload a bundle of tools, collectively called rootkit. first thing installed is backdoor program, enter anytime without having go through any authentication. others tools credential capturing, sniffing, attacking other systems, covering the attackers tracks. replaced old tools with new with same name aka Trojaned programs, do malicious in the background so activities don't get detected. use log scrubbers to remove traces of the attacker activities from the log.

rootkit

unsolicited junk emails. detecting technique is Bayesian filtering - reviews prior events to predict future events, quantifying uncertainty. applies statistical modeling to words. carries out frequency analysis on each word and then evaluates the message as whole to determine whether or not it is a spam.

spam detection

type of malware installed on target computer to gather sensitive info. gather victim's online browsing habits, which is then often used by spammer. direct a victim's computer to perform tasks such as installing software, chaining system settings, transferring browsing history, logging keystrokes, taking screenshots

spyware

rapid - (aka throwaway) quick create prototype test current understanding of project. not built upon, but discard after serving its purposes. evolutionary - built with incremental improvement until it reaches the final product stage. feed at each stage. operational - extension of evolutionary. designed to be implemented within a production environment. update as customer feedback gathered, and changes to software happen within the working site.

three types of prototyping

small application, or string of code, that infects software. main function is to reproduce and deliver its payload and requires a host application to do this. cannot replicate on its own. infects file by inserting or attaching a copy of itself to file. delivery mechanism. subcategory of malware. makes software component an actual virus is it can self-replicate.

virus

macro virus- written in visual basic VBscript. infect and replicate in templates and within docs. boot sector- move data or overwrite sector with new information stealth - hides the modifications it has made to files or boot records. hides its track after affecting the system polymorphic - capability to change its own code, enabling virus to have different variants. multipart - multiple attack vectors can attack more quickly meme - computer virus, email message can be forwarded around the internet script - files executed by interpreters tunneling - attempts to install itself under antimalware program. intercept and respond to scan that everything is okay

virus types

piece of software installed on a system that is designed to intercept all traffic between the local web browser and web server (burp suite) to modify cookies values. also can identify hidden fields passed to server

web proxy

can reproduce on their own without a host application or environment, and are self-contained programs

worms

heuristic detection and behavior blocking is considered proactive and can detect new malware, sometimes called zero day attacks. signature-based detection cannot detect new malware.

zero day