Implementing Security in the Systems and Software Development Lifecycle

Race Conditions

A condition in which the resulting outcome from execution processes is directly dependent on the order and timing of certain events.

Security Requirements Traceability Matrix (SRTM)

A matrix that enables identification of the security requirements of a given system and the actual implementations or tests that can evaluate whether the requirement has been achieved.

Application Sandboxing

A security technique used to segregate an application from other applications and data on a system.

Fuzzing

A testing method used to identify vulnerabilities in apps by inputting random or unusual data and noting any failures that result.

Resource Exhaustion

A type of DoS vulnerability that occurs when an application does not properly restrict access to requested or needed resources.

SQL Injection

An attack in which an attacker embeds code in a web app to generate an SQL query that can compromise data in a database.

XSRF (cross-site request forgery)

An attack that takes advantage of the trust established between an authorized user of a website and the website itself.

Clickjacking

An attack where an attacker tricks a client into clicking on a web page link that is different from where they had intended to go.

Application Sandboxings

App launched in a sandbox cannot edit OS files or modify user's stored files. Restricts malicious apps from harming the system. Used when testing apps during development. Keeps apps isolated from other systems. Also used during deployment and operation. Creates secure environment for apps to execute.

Persistent cookie/Session cookies

Both types are susceptible to attacks. Both can be used in conjunction with attacks like XSRF. You must ensure the secure storage and transmission of cookies.

Fuzzing is a security assessment technique that allows testers to analyze the behavior of software applications under which of the following conditions? A. Unexpected input B. Invalid output C. Parameterized input D. Valid output

Can trigger buffer overflows. Can find memory leaks and other bugs in development. Enables developers to address faults in code. Usually performed toward the end of development. Fuzzing tool can test buttons, text fields, web forms, RPC requests, etc. Use fuzzing on apps that perform sensitive online transactions. Should supplement human code reviews, not replace them.

Memory Leaks

Common in unmanaged languages like C and C++. Developer is responsible for managing memory allocation. Less common in managed languages like Java. Built-in memory management and garbage collection. Leaks start small and get bigger over time until system is out of resources. App and system itself can crash. Attacker can exploit leaks to initiate a DoS. Countermeasures depend on the language. Stress testing and debugging is key.

Integer Overflow

Computers process data in binary (1 or 0). An 8-bit integer has a max value of 11111111 (255 in decimal). Storing an integer greater than 255 at this location will cause an overflow. Overflows can lead to app crashes and unintended behavior. Signed integers may overflow and change from positive to negative. Like buffer overflows, certain programming languages offer protections. Bounds checking and sanity checking are mitigation techniques.

XSS Mitigation

Conduct full reviews of source code. Look for inputs that are not validated and sanitized. Inspect the validation/sanitization routines themselves. Just reviewing client-side code can reveal vulnerabilities. Check public repositories for already existing secure code. Conduct fuzzing of apps to test inputs for XSS.

Cookie Security Attributes (Secure)

Cookie is sent only over a secure channel (HTTPS). Protects against man-in-the-middle.

Cookie Security Attributes (HttpOnly)

Disables scripts from accessing cookie. Protects against XSRF.

Clickjacking Mitigation

Frame busting: Forces a page to the top of a frame. Removes malicious iframe loaded on a site. Simple JS code: if ( top != self ) { self.location = top.location ; } Advanced iframe attacks require advanced JS countermeasures. Modern browsers support X-Frame-Options: Defines response headers to prevent other sites from framing content. DENY prevents any site from framing content. SAMEORIGIN denies every site except the same page. ALLOW-FROM whitelists specific pages. Header must be deployed to all pages to be effective.

Continuous integration (CI)

Frequent merging of code from different developers into one base repository. Incorporates build automation. Helps avoid conflicts with integration of different code. Issues are identified and addressed easier and quicker.

User acceptance testing

Gathers feedback from target audience. Product must meet needs of the consumer. Users evaluate how app handles their privacy.

Recommissioning

In case decommissioning is temporary, the technology is re-evaluated and pushed back into production so it can be reused without requiring new development.

Design phase

In his phase, an organization develops a detailed description of how the software will satisfy all functional and security goals. It involves mapping the internal behavior and operations of the software to specific requirements to identify any requirements that have not been met prior to implementation and testing.

Develop phase

In his phase, is where the code or instructions that make the software work is written. The emphasis of this phase is strict adherence to secure coding practices.

initiation phase

In the _________ phase, the realization is made that a new feature or functionality is desired or required in the enterprise. This new feature might constitute an upgrade to an existing asset or the purchase or development of a new asset. In either case, the __________ phase includes making a decision about whether to purchase the product or develop it internally.

gather requirements phase

In this phase of (Software)SDLC, both the functionality and the security requirements of the solution are identified.

SDLC (Systems Development Life Cycle)

Involves a diverse set of resources from the organization. Security is a large part of SDLC during all of its phases. Large-scale projects rely on SDLC to manage many human resources.

SQL Injection Mitigation

Parameterized query: A technique in which a query incorporates placeholders for some of its parameters.

Devops

Purpose to shorten the SDLC

XSS attack

Stored attack: Attacker injects malicious code into website forums or other data. User views the page with the malicious code and is attacked. Reflected attack: Attacker crafts a malicious request to send to a legitimate server. Attacker sends link to victim, victim clicks it, and script is reflected off the server. Script then executes on victim's browser. DOM-based attack: Malicious scripts not sent to server at all. Attack takes advantage of JavaScript to execute solely on client side.

Testing and evaluation

The developed technology is tested to ensure it conforms to expectations.

Privilege Escalation

The process by which an entity obtains access to additional resources or functionality that they are normally not allowed access to.

Session Management

The process of enabling web apps to uniquely identify a user across a number of different actions and requests.

Configuration Management

These functions belong to what. •Report the status of change processing. •Document the functional and physical characteristics of each configuration item. •Perform information capture and version control. •Control changes to the configuration items and issue versions of configuration items from the software library.

Change Management

This process ensures that all changes are both approved and documented. Because any changes can affect both security and performance, special attention should be given to monitoring the solution after any changes.

Clickjacking Attack

Victim may be redirected to what looks like a legitimate page. Victim proceeds to input sensitive information. Attacker can also redirect user to a malicious web page that runs a harmful script. Often made possible through inline frames (iframe). Attacker makes iframe the target of a link defined by other elements. User selects link and inputs credentials. Invisible iframe accepts the credentials.

1. Initiate 2. Acquire/develop 3. Implement 4. Operate/maintain 5. Dispose

What are the 5 steps in Systems Development Lifecycle (SDLC)

Software Development Life Cycle

What are these eight steps for. Step 1. Plan/initiate project Step 2. Gather requirements Step 3. Design Step 4. Develop Step 5. Test/validate Step 6. Release/maintain Step 7. Certify/accredit Step 8. Change management and configuration management/replacement

SDLC Frameworks

You don't need to come up with your own lifecycle framework. Several frameworks are available to you. Span different industries, and may focus on specific technologies/methodologies. Security-focused examples: Security Considerations in the System Development Life Cycle NIST SP 800-64. Security Development Lifecycle (SDL) Created by Microsoft. All tend to incorporate threat, vulnerability, and risk-related controls. Ensure systems are secure by design, not reactively. Choice of framework depends on your own organization needs.

systems development life cycle (SDLC)

is the practice of designing and deploying technology systems across this lifecycle. It involves a diverse set of resources from the organization, and security is a large part of the SDLC effort in all of its phases.

test and evaluation phase

several types of testing should occur, including ways to identify both functional errors and security issues.

Project planning

Developing a plan that will optimize resource allocation during design, development, and beyond.

Baseline

It is important so that continuous monitoring can take place. The __________ ensures that performance issues can be quickly determined. Any changes over time (for example, addition of new features, patches to the solution, and so on) should be closely monitored with respect to the effects on the ___________.

Session managements

Keeps the state of data generated by user and ensures it is assigned to that user only. Found in the majority of web apps. Important for authentication and ensures integrity of data exchange. Is a prime target for attackers.

Application Security Framework

A framework embedded into standard software development processes to make it easier to apply security throughout the lifecycle.

Resource exhaustion attacks

Attacker can consume an important resource like bandwidth or CPU time. App can't perform its functions and may crash. Simple to carry out and often effective. Failopen apps will expose access in the event of resource exhaustion crash. Limit amount of resources any one user can allocate with your app. Limit simultaneous resource requests. Cache commonly accessed data. Design apps to be failsafe or failsecure.

Cookie hijackingSS

Attacker can propagate a DoS and sign in as the user. Mitigation: Encrypt cookies in transmission. Delete cookies from browser cache on session termination. Deliver new cookies with each new session.

SQL injection attack

Attacker can retrieve, modify, or delete data. SQL is widely used as a database language for web apps. Attacker tests input elements like URL parameters, form fields, POST data, etc. Simple injection is to add a single apostrophe to a query. Attacker can use resulting errors to refine their test queries. No errors may mean the app is vulnerable to injection. Attackers can also use a wildcard (%) or an expression like 1=1 to expose data.

Cookie poisoningSS

Attacker can use modified cookie to exploit web app vulnerabilities. Mitigation: Validate input to account for tampered-with cookies. Encrypt cookies in transmission and storage. Delete cookies from browser cache on session termination.

Session fixation attack

Attacker manipulates methods like GET requests. Some sites use GET requests to assign values to user cookies. More commonly, an attacker can use XSS to set session cookie through JavaScript.

Session predictions

Attacker predicts session token and can take over a session yet to be established. Session token should be cryptographically secured and not reveal client info. Apps should limit the lifespan of sessions and require re-authentication.

plan/initiate phase

Security professionals should be involved in this phase to determine if information involved in the project requires protection and if the application needs to be safeguarded separately from the data it processes. Security professionals need to analyze the expected results of the new application to determine if the resultant data has a higher value to the organization and, therefore, requires higher protection.

security by design

Security should be incorporated at the very beginning of development. Includes expanding requirements definitions, if needed. Includes security-focused testing. Example: App requires input validation for all HTML forms.

Commissioning

The technology is pushed into production.

Decommissioning and disposal

The technology is removed from production and securely disposed of when it is no longer viable.

Operation

The technology undergoes monitoring, maintenance, and configuration and change management processes to ensure it stays viable.

SQL Injection Mitigations

When the query is executed, the web app binds the actual values to parameters. Creates a different statement than the raw input. Quotation mark is interpreted literally, not part of query structure. Also called prepared statements.

Design and development:

Work begins on the technology itself in earnest.

Cookies (Persistent cookie)

Data created by a web app that stores and preserves user-specific app preferences, like authentication details.

Cookies (Session cookie)

Data created by a web app that tracks specific details about a user that is connected to the app using a browser.

Security by default

Default configuration of an app should be secure. End user should not have to harden the app themselves. Disables unnecessary features to reduce attack surface. Example: Web app disables geotagging by default, lets user enable it.

Geotagging

Geotagged media can include photos, videos, texts, etc. Geotagged photo metadata may include: User's latitude and longitude. User's altitude. User's compass direction. Name of the location. Usually relies on GPS, which is ubiquitous on mobile devices. Users may upload geotagged media to the Internet, unaware of its revealing nature. Raises significant privacy issues. Can compromise personnel's location. Consider disabling geotagging in apps altogether. If enabled, educate users about the dangers and give them an option to disable it.

Waterfall (Rigid module)

Phases of a lifecycle cascade. Next phase starts only if previous phase has ended. Suitable for projects without significant time constraints. Issues found earlier are easier to fix. Can't adequately address changing security requirements Their are no time constraint, we are not stuck to a timeline per class. Final outcome is known Rigid module

XSRF Mitigation

Prevention is difficult because requests often look legitimate. User-specific tokens in form submissions may be effective. Web app generates a form for a user to submit a request. Form has hidden input parameter (token). Token must be randomly generated so it cannot be guessed. Other session management techniques may provide some protection. HTTP request header verification is unreliable. Attacker can easily create custom headers for requests.

Peer review

Programmers analyze each other's code for issues. Provides a fresh perspective on the testing process. Security issues can be difficult to recognize in one's own code.

SDLC Phases

Requirements building What needs must the technology fulfill? Project planning Optimize resource allocation during the lifecycle. Design and development Work begins on the technology. Testing and evaluation Ensure technology conforms to expectations. Commissioning Technology is pushed into production. Operation Technology undergoes management processes. Decommissioning and disposal Technology is removed from production and disposed of. Recommissioning Decommissioned technology is re-evaluated and pushed back into production.

Cookie Security Attributes (Expires)

Set persistent cookie expiration date. Browser deletes cookie on expiration.

Cookie Security Attributes (Path)

Specifies URL of site for which cookie is valid. Checked after Domain attribute.

Cookie Security Attributes (Domain)

Specifies domain of server for which cookie is valid. Limits scope of cookie.

Integration testing

Tests modules together to see if they interact as intended. Might be automated as part of a CI process. Integration conflicts might lead to security issues.

Commissioning

is the process of implementing the asset in an enterprise

Decommissioning

is the process of retiring an asset from use in an enterprise.

Clickjacking results in ________.

malware posting unwanted links on your Facebook page

NIST's Special Publication (SP) 800-64 Security Considerations in the System Development Lifecycle and Microsoft's Security Development Lifecycle (SDL)

this publication incorporates threat, vulnerability, and risk-related controls within the Lifecycle to achieve systems that are secure by design, rather than secure in a passive and reactive sense.

SDLC

(systems development lifecycle) The practice of designing and deploying technology systems from the planning stages all the way to obsolescence.

Cookie poisoningS

An attack in which an attacker modifies the contents of a cookie.

TOCTTOU (time-of-check-to-time-of-use)

A race condition that occurs when there is a change between an app checking a resource and actually using it.

Input Validation

A technique that ensures that input data is within acceptable bounds for the object that will receive the data.

Integer Overflows

A type of buffer overflow in which an application attempts to store a number in a variable type that is not large enough to store that number.

Buffer Overflow

A vulnerability in which an application copies data into an allocated memory buffer that is not large enough to accommodate it.

Cookie hijacking

An attack in which an attacker injects malicious code into a cookie to take control of a session.

Cookie hijackingS

An attack in which an attacker injects malicious code into a cookie to take control of a session.

XSS (Cross Site Scripting)

An attack that takes advantage of scripting and input validation vulnerabilities in web apps.

Security by deployment

App should be deployed to personnel or customers securely. Part of defense in depth strategy. Additional external layers of security protect the app. Examples: Firewalls, IDSes, authentication mechanisms.

Improper Storage of Sensitive Data

Apps store sensitive data like passwords, account records, company secrets, etc. Encryption is a popular and effective protection of this data. App encryption libraries make it easier for developers. Developers can still make mistakes, such as: Failing to identify and encrypt critical data. Insecure storage of encryption keys, certificates, and passwords. Improper handling of sensitive data in memory. Choosing a poor source of randomness for pseudorandom seeds. Using weak homebrewed algorithms. Failing to support secure key exchange.

Data Remnants

Apps working with sensitive data may not properly handle file deletion. Apps may keep headers and pointers associated with deleted files in memory. Headers can reveal metadata about files. Pointers may enable data recovery from unsanitized memory. Apps may store temporary files in directories the user is unaware of. Apps may not have exclusive access to temporary files. Apps may not properly remove temporary files. Attacker can glean information in remnant files.

DevOps

Combination of software development and systems operations. Integration improves speed and reliability of creating/deploying apps. Improves security automation practices. Supports infrastructure as code.

Spiral

Combined approach. Development is modified but follows overall end-to-beginning structure. Useful for large and complex projects. You must incorporate security from the very beginning of the lifecycle. (Imposes Risk Analysis) SDLC IT IS COMBINATION of Waterfall and incremental module.

Design Phase (SDLC)

During this process, the state of the application is determined in every phase of its activities. The state of the application refers to its functional and security posture during each operation it performs. Therefore, all possible operations must be identified to ensure that the software never enters an insecure state or acts in an unpredictable way. Identifying the attack surface is also a part of this analysis.

Versioning

Ensuring that changes to project assets are closely managed. Identifies change milestones as version numbers. Issues are associated with a particular version. Developers can revert to older versions if need be.

Regression testing

Evaluates if changes cause existing functionality to fail. Changes can trigger previous issues. Identify security mechanisms that worked before but have now broken.

privilege escalations

Example: Normal user exploits a vulnerability to gain root-level privileges. Vertical/elevation: User performs functions not assigned to role or explicitly permitted. Low privilege user gains access to functions reserved for high privilege users. Horizontal: User accesses resources they are not entitled to. Attacker can exploit vulnerability to obtain other app users' private data. Least privilege is vital as a defense. Buffer overflow protection can defend against crashes leading to privilege escalation.

XSRF is possible when a user has a connection to a malicious site while a connection to a legitimate site is still alive.

Exploits web browser's trust in user's unexpired cookies. Sites that function based on input from cookie-authenticated users are at risk. Found on most websites that have a Remember Me option. Attacker takes advantage of saved authentication data in cookie. Attacker can therefore gain access to sensitive data.

Agile (Rapid module)

Focuses on adaptive measures. Short, rapid iterations in development. Useful in complex, unpredictable systems. Difficult to keep up with the security of evolving code. Per class, final outcome is not known, Rapid module

Unit testing

Individual pieces of code are given a "pass/fail" evaluation. Test every complete block of code. Minimizes security issues through techniques like input validation.

Requirements building

Identifying what needs the technology must fulfill for it to be viable.

Race Conditionss

If events fail to execute as intended, the race condition becomes a vulnerability. Often depend on unknown variables, so can be difficult to detect and mitigate. Attacker can manipulate data after check but before use. Example: Replacing a file created by an app before it is used. Don't define processes sequentially unless necessary. Implement locking mechanisms before a check. Example: Locking access to a file while used by the app.

Race conditions occur only if ...

If events fail to execute as intended, the race condition becomes a vulnerability. Often depend on unknown variables, so can be difficult to detect and mitigate. Attacker can manipulate data after check but before use. Example: Replacing a file created by an app before it is used. Don't define processes sequentially unless necessary. Implement locking mechanisms before a check. Example: Locking access to a file while used by the app.

acquisition phase

In this phase, the following questions are answered, so which phase is it?. •What functions does the system need to perform? •What potential risks to CIA are exposed by the solution? •What protection levels must be provided to satisfy legal and regulatory requirements? •What tests are required to ensure that security concerns have been mitigated? •How do various third-party solutions address these concerns? •How do the security controls required by the solution affect other parts of the company security policy? •What metrics will be used to evaluate the success of the security controls?

disposal stage

In this stage, disposal stage consists of removing the solution from the environment when it reaches the end of its usefulness. When this occurs, an organization must consider certain issues, including: •Does removal or replacement of the solution introduce any security holes in the network? •How can the system be terminated in an orderly fashion so as not to disrupt business continuity? •How should any residual data left on any systems be removed? •How should any physical systems that were part of the solution be disposed of safely?

Implementation stage

In this stage, senior management formally approves the system before it goes live. Then the solution is introduced to the live environment, which is the operation/maintenance stage—but not until the organization has completed both certification and accreditation.

Input Validations

Input data should: Be within size constraints of allocated memory. Be formatted in the expected way. Make sense in the context for which it will be used. Input data not meeting these constraints should be rejected. Example: Input field asks for a date. Attacker enters malicious code into the field. Validation checks for the expected format (mm/dd/yyyy). Validation rejects the input. XSS and SQL injections often exploit weak or non-existent input validation. Attacker can compromise data and the underlying app or system.

Memory Leaks, DLL Injection and Null Pointers are all

The result of an application allocating memory and then not freeing it when it is no longer required for usage by the application.

Session fixation

The technique of forcing a user to browse a website in the context of a known and valid session.

Session prediction

The technique of identifying weaknesses in session token generation to predict future session values.