Chapter 15 Sec +
zero-day exploit.
A vulnerability that is exploited before the developer knows about it or can release a patch is called a ___________. These can be extremely destructive, as it can take the vendor a lot of time to develop a patch, leaving systems vulnerable for days, weeks, or even years.
stress testing
Associated with fuzzing is the concept of _________ an application to see how an application performs under extreme performance or usage scenarios.
The concepts of Agile operations and DevOps support a few new approaches to deploying code:
Immutable infrastructure Infrastructure as Code
Security automation
The concept of scripted or programmed infrastructure can also be applied to security infrastructure (firewalls, IDS, SIEM, and privilege management). For example, security automation might mean that a user account is provisioned by running a script for the appropriate role rather than relying on a human administrator to select the appropriate security groups and policy settings.
Immutable infrastructure
This approach first strictly divides data from the components processing data. Once designed and provisioned as instances, the components are never changed or patched in place. Deploying a patch or adding a new application means building a new instance and deploying that.
Infrastructure as Code
This is the principle that when deploying an application, the server instance supporting the application can be defined and provisioned through the software code. Imagine a setup program that not only installs the application but also creates a VM and OS on which to run the application.
Fuzzers are also distinguished by
by the way in which they craft each input (or test case). The fuzzer may use semi-random input (dumb fuzzer) or might craft specific input based around known exploit vectors, such as escaped command sequences or character literals, or by mutating intercepted inputs.
Finally, the fuzzer needs some means of
detecting an application crash and recording which input sequence generated the crash.
pointer
is a reference to an object at a particular memory location.
Dynamic analysis
means that the application is tested under "real world" conditions using a staging environment.
This model is referred to as software development and operations (DevOps). DevOps means
means that there is much more collaboration between developers and system administrators.
Agile addresses the idea
the idea that resiliency, the ability to sustain performance despite failures, is a better and more achievable goal than the elimination of faults. This principle is referred to as fail fast (and learn quickly).
There are generally three types of fuzzers, representing different ways of injecting manipulated input into the application:
• Application UI—identify input streams accepted by the application, such as input boxes, command line switches, or import/export functions. • Protocol—transmit manipulated packets to the application, perhaps using unexpected values in the headers or payload. • File format—attempt to open files whose format has been manipulated, perhaps manipulating specific features of the file.
There are two main types of privilege escalation:
• Vertical privilege escalation (or elevation) is where a user or application can access functionality or data that should not be available to them. For instance, a user might have been originally assigned read-only access (or even no access) to certain files, but after vertical escalation, the user can edit or even delete the files in question. • Horizontal privilege escalation is where a user accesses functionality or data that is intended for another user. For instance, a user might have the means to access another user's online bank account.
SERVER-SIDE VERSUS CLIENT-SIDE VALIDATION
A web application (or any other client-server application) can be designed to perform input validation locally (on the client) or remotely (on the server). Applications may use both techniques for different functions.
OS function calls to allow DLL
injection are legitimately used for operations such as debugging and monitoring.
Some of the most important coding practices are
input validation, error handling, and implementing proper authentication and authorization of sessions.
Dynamic Link Library (DLL)
is a binary package that implements some sort of standard functionality, such as establishing a network connection or performing cryptography. The main process of a software application is likely to load (or call) several DLLs during the normal course of operations.
Data exposure
is a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the appropriate access controls. Applications must only transmit such data between authenticated hosts, using cryptography to protect the session. When incorporating encryption in your code, it's important to use encryption algorithms and techniques that are known to be strong, rather than creating your own.
dereferencing
Attempting to access that memory address is called
A typical attack would proceed as follows:
1. The attacker identifies an input validation vulnerability in the trusted site. 2. The attacker crafts a URL to perform a code injection against the trusted site. This could be coded in a link from the attacker's site to the trusted site or a link in an email message. 3. When the user clicks the link, the trusted site returns a page containing the malicious code injected by the attacker. As the browser is likely to be configured to allow the site to run scripts, the malicious code will execute. 4. The malicious code could be used to deface the trusted site (by adding any sort of arbitrary HTML code), steal data from the user's cookies, try to intercept information entered into a form, or try to install malware. The crucial point is that the malicious code runs in the client's browser with the same permission level as the trusted site.
canonicalization attack
An attacker might use a canonicalization attack to disguise the nature of the malicious input. Canonicalization refers to the way the server converts between the different methods by which a resource such as a file path or URL may be represented and submitted to the simplest (or canonical) method used by the server to process the input. Examples of encoding schemes include HTML entities and character set encoding (ASCII and Unicode). An attacker might be able to exploit vulnerabilities in this process to perform code injection or facilitate directory traversal.
This gives a malicious process on the same host the chance of recovering the key from memory.
Another option is to encrypt the code, but if the code is to run, the encryption key must be made available on the host at some point.
HTTP header manipulation attack
HTTP Response Splitting or CRLF injection. The attacker would craft a malicious URL and convince the victim to submit it to the web server. This could be encoded in something like an image tag, so the user may not have to choose to click a link. The URL contains extra line feeds, which may be coded in some non-obvious way. Unless the web server strips these out when processing the URL, it will be tricked into displaying a second HTTP response, containing content crafted by the attacker. This content could deface the genuine page, overlay a fake authentication form, perform some sort of XSS injection attack, and so on.
confused deputy
If the target site assumes that the browser is authenticated because there is a valid session cookie and doesn't complete any additional authorization process on the attacker's input (or if the attacker is able to spoof the authorization), it will accept the input as genuine. This is also referred to as a ___________ attack (the point being that the user and the user's browser are not necessarily the same thing).
OBFUSCATION/CAMOUFLAGE
In development, it is important that code be well documented, to assist the efforts of multiple programmers working on the same project. Well-documented code is also easier to analyze. Code can be made difficult to analyze by using an obfuscator, which is software that randomizes the names of variables, constants, functions, and procedures, removes comments and white space, and performs other operations to make the compiled code physically and mentally difficult to read and follow. This sort of technique might be used to make reverse engineering an application more difficult and as a way of disguising malware code.
XSS/XSRF PREVENTION
Input validation should be enough to defeat most cross-site style attacks. The other consideration is for the application to use secure authentication and authorization procedures. Naïve methods of recording sessions, such as unencrypted cookies, should be deprecated. Even if a user has authenticated, any actions the user attempts to perform should be properly authorized using some sort of secure token that an attacker cannot spoof or replay.
This allows changes to be rolled back
Most software development environments use a build server to maintain a repository of previous versions of the source code. When a developer commits new or changed code to the repository, the new source code is tagged with an updated version number and the old version archived. ___________________________ if a problem is discovered. Continuous integration is the principle
arbitrary code
The attacker may be able to use the exploit to obtain sufficient privileges to run whatever malware
Cross-Site Scripting (XSS)
The attacks just described mostly target weaknesses of server-side application code or security measures. There are also many attacks against the browser (client-side code and security measures). ____________ is one of the most powerful input validation exploits. ________ involves a trusted site, a client browsing the trusted site, and the attacker's site.
shim
The code library that intercepts and redirects calls to enable legacy mode functionality is called a shim. The shim must be added to the registry and its files (packed in a _________ database/.SDB file) added to the system folder. The _______ database represents another way that malware with local administrator privileges can run on reboot (persistence).
arbitrary code execution
The purpose of the attacks against application or coding vulnerabilities is to allow the attacker to run his or her own code on the system. This is referred to as
An application model is a statement of the requirements driving the software development project.
The requirements model is tested using processes of Verification and Validation (V&V): • Verification is a compliance testing process to ensure that the product or system meets its design goals. • Validation is the process of determining whether the application is fit-for-purpose (so for instance, its design goals meet the user requirements).
There are two principal SDLCs: the waterfall model and Agile development.
The waterfall model includes the following phases: • Requirements—capture everything that the system must do and the levels to which it must perform. • Design—develop a system architecture and unit structure that fulfills the requirements. • Implementation—develop the system units as programming code. • Verification—ensure the implementation meets the requirements and design goals. • Testing—integrate the units and ensure they work as expected. • Maintenance—deploy the system to its target environment and ensure that it is operated correctly. • Retirement—remove (deprovision) the system and any dependencies if they are no longer used.
buffer overflow
To exploit a _____________ vulnerability, the attacker passes data that deliberately overfills the buffer (an area of memory) that the application reserves to store the expected data.
normalization
Where an application accepts string input, the input should be subjected to ______________procedures before being accepted. ______________means that a string is stripped of illegal characters or substrings and converted to the accepted character set. This ensures that the string is in a format that can be processed correctly by the input validation routines.
remote code execution
Where the code is transmitted from one machine to another, it is sometimes referred to as _______________. The code would typically be designed to install some sort of Trojan or to disable the system in some way (Denial of Service).
Third-party library
a binary package (such as a Dynamic Link Library) that implements some sort of standard functionality, such as establishing a network connection or performing cryptography. Each library must be monitored for vulnerabilities and patched promptly.
If a process is operating correctly, when it no longer requires
a block of memory, it should release it. If the program code does not do this, it could create a situation where the system continually leaks memory to the faulty process. This means less memory is available to other processes and the system could crash.
Heap overflow
a heap is an area of memory allocated by the application during execution to store a variable of some sort. A heap overflow can overwrite those variables, with unexpected effects. An example is a known vulnerability in Microsoft's GDI+ processing of JPEG images.
stored (or persistent) XSS attack
aims to insert code into a back-end database used by the trusted site. For example, the attacker may submit a post to a bulletin board with a malicious script embedded in the message. When other users view the message, the malicious script is executed.
Array index overflow
an array is a type of variable designed to store multiple values. It is possible to exploit unsecure code to load the array with more values than it expects, creating an exception that could be exploited.
Memory leaks
are particularly serious in service/background applications, as they will continue to consume memory over an extended period. Memory leaks in the OS kernel are also extremely serious. A memory leak may itself be a sign of a malicious or corrupted process.
command injection
attack attempts to run OS shell commands from the browser. As with directory traversal, the web server should normally be able to prevent commands from operating outside of the server's directory root and to prevent commands from running with any other privilege level than the web "guest" user (who is normally granted only very restricted privileges). A successful command injection attack would find some way of circumventing this security (or find a web server that is not properly configured).
Man-in-the-Browser (MitB) attack
attack is where the web browser is compromised by installing malicious plug-ins or scripts or intercepting API calls between the browser process and DLLs. The Browser Exploitation Framework (BeEF) (https://beefproject.com) is one well-known MitB tool. There are various vulnerability exploit kits that can be installed to a website and actively try to exploit vulnerabilities in clients browsing the site
Normally, a cookie can only be used
be used by the server or domain that created it, but this can be subverted by a Cross-Site Scripting attack.
Clickjacking can be mitigated by
by using HTTP response headers that instruct the browser not to open frames from different origins (domains) and by ensuring that any buttons or input boxes on a page are positioned on the top-most layer.
Cross-Site Request Forgery (XSRF)
can exploit applications that use cookies to authenticate users and track sessions. To work, the attacker must convince the victim to start a session with the target site. The attacker must then pass an HTTP request to the victim's browser that spoofs an action on the target site, such as changing a password or an email address. This request could be disguised in a few ways (as an image tag, for instance) and so could be accomplished without the victim necessarily having to click a link.
integer overflow attack causes
causes the target software to calculate a value that exceeds these bounds. This may cause a positive number to become negative (changing a bank debit to a credit, for instance). It could also be used where the software is calculating a buffer size; if the attacker is able to make the buffer smaller than it should be, he or she may then be able to launch a buffer overflow attack.
Human analysis of software source code is described as a
code review or as a manual peer review. It is important that the code be reviewed by developers (peers) other than the original coders to try to identify oversights, mistaken assumptions, or a lack of knowledge or experience. It is important to establish a collaborative environment in which reviews can take place effectively.
Transitive access
describes the problem of authorizing a request for a service that depends on an intermediate service. For example, say a user orders an ebook through some e‑commerce application on a merchant site. The merchant site processes the order and then places a request to a publisher site to fulfill the ebook to the user.
Agile
development flips the waterfall model by iterating through phases concurrently on smaller modules of code or sub-projects.
Software Development Lifecycle (SDLC)
divides the creation and maintenance of software into discrete phases.
Cookies are
either non-persistent (or session) cookies, in which case they are stored in memory and deleted when the browser instance is closed, or persistent, in which case they are stored on the hard drive until deleted by the user or pass a defined expiration date. For example, if, when logging in, the user selects the Remember Me option, then a cookie is saved and accessed the next time they visit that web page.
input handling, but many attacks can be described as either
either overflow-type attacks or injection-type attacks:
Some applications may use headers to
encode some user data, such as setting a cookie or returning the value of a cookie. If this is the case, as with forms and URLs, an attacker could try to inject code to perform a malicious action on the target server or client if the web application does not process the header correctly.
A third type of XSS attack
exploits vulnerabilities in client-side scripts. Such scripts often use the Document Object Model (DOM) to modify the content and layout of a web page. For example, the "document.write" method enables a page to take some user input and modify the page accordingly. An attacker could submit a malicious script as input and have the page execute the script. Such exploits can be very powerful as they run with the logged in user's privileges of the local system.
Provisioning
g is the process of deploying an application to the target environment, such as enterprise desktops, mobile devices, or cloud infrastructure. An enterprise provisioning manager might assemble multiple applications in a package. Alternatively, the OS and applications might be defined as a single instance for deployment on a virtualized platform. The provisioning process must account for changes to any of these applications so that packages or instances are updated with the latest version.
If the attacker submitted the URL using the encoded version of the characters, he or she might be able to circumvent the validation routine:
http://victim.com/show=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/ config
example, to perform a directory traversal attack, the attacker might submit a URL such as:
http://victim.com/show=../../../../etc/config
A program may make use of existing code in the following ways:
• Code reuse— • Third-party library— • Software Development Kit (SDK)—
Fuzzing
is a means of testing that an application's input validation routines work well. Fuzzing means that the test or vulnerability scanner generates large amounts of deliberately invalid and/or random input and records the responses made by the application. This is a form of "stress testing" that can reveal how robust the application is.
stored procedure
is a part of a database that executes a custom query. The procedure is supplied an input by the calling program and returns a pre-defined output for matched records. This can provide a more secure means of querying the database. Any stored procedures that are part of the database but not required by the application should be disabled.
Unreachable code
is a part of application source code that can never be executed. For example, there may be a routine within a logic statement (If ... Then) that can never be called because the conditions that would call it can never be met.
INTEGER OVERFLOW
is a positive or negative number with no fractional component (a whole number). Integers are widely used as a data type, where they are commonly defined with fixed lower and upper bounds.
HTTP is a
is a stateless protocol meaning that the server preserves no information about the client.
Clickjacking
is an attack where what the user sees and trusts as a web application with some sort of login page or form contains a malicious layer or invisible iFrame that allows an attacker to intercept or redirect user input. It can be launched using any type of compromise that allows the adversary to run JavaScript (XSS, CSRF, or MitB, for instance).
Directory traversal
is another common input validation attack. The attacker submits a request for a file outside the web server's root directory by using the command to navigate to the parent directory (../). This attack can succeed if the input is not filtered properly and access permissions on the file are the same as those on the web server root.
Dead code
is executed but has no effect on the program flow. For example, there may be code to perform a calculation, but the result is never stored as a variable or used to evaluate a condition.
XML injection
is fundamentally the same thing but targeted against web services using XML data formats, rather than SQL.
DLL injection
is not a vulnerability of an application but of the way the operating system allows one process to attach to another. This functionality can be abused by malware to force a legitimate process to load a malicious link library. The link library will contain whatever functions the malware author wants to be able to run. Malware uses this technique to move from one host process to another to avoid detection.
Static code analysis (or source code analysis)
is performed against the application code before it is packaged as an executable process. The analysis software must support the programming language used by the source code. The software will scan the source code for signatures of known issues, such as OWASP Top 10 Most Critical Web Application Security Risks or injection vulnerabilities generally. NIST maintains a list of source code analyzers and their key features (https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html).
The main issue with server-side validation
is that it can be time-consuming, as it may involve multiple transactions between the server and client.
The main issue with client-side validation
is that the client will always be more vulnerable to some sort of malware interfering with the validation process.
Code signing
is the principal means of proving the authenticity and integrity of code (an executable or a script). The developer creates a cryptographic hash of the file then signs the hash using his or her private key. The program is shipped with a copy of the developer's code signing certificate, which contains a public key that the destination computer uses to read and verify the signature. The OS then prompts the user to choose whether to accept the signature and run the program.
Continuous integration
is the principle that developers should commit updates often (every day or sometimes even more frequently). This is designed to reduce the chances of two developers spending time on code changes that are later found to conflict with one another.
Deprovisioning
is the process of removing an application from packages or instances. This might be necessary if software has to be completely rewritten or no longer satisfies its purpose. As well as removing the application itself, it is also important to make appropriate environment changes to remove any configurations (such as open firewall ports) that were made just to support that application.
race condition vulnerability
is typically found where multiple threads are attempting to write a variable or object at the same memory location. Race conditions have been used as an anti-virus evasion technique. In 2016, the Linux® kernel was discovered to have an exploitable _________ vulnerability, known as Dirty COW. This type of vulnerability is mitigated by ensuring that a memory object is locked when one thread is manipulating it.
exploit kits
may either be installed to a legitimate site without the owner's knowledge (by compromising access control on the web server) and load in an iFrame (invisible to the user), or the attacker may use phishing/social engineering techniques to trick users into visiting the site, using Google™ search results, ads, typosquatting, or clicking an email link.
Refactoring
means that the code performs the same function by using different methods (control blocks, variable types, and so on). This might be done legitimately to improve the code in some way, such as making it run more efficiently or making it easier to maintain and update. Refactoring can also be used by malware authors to evade detection by A-V scanners because the different code syntax means that the malware must be identified by a new signature, or be caught by heuristic analysis.
In the waterfall framework, each phase must be
must be completed and signed off before the next phase can begin. In this model, it can be hard to go back and make changes to the original specification, whether because of changed customer requirements or because of requirements or design problems discovered during implementation, testing, and deployment.
Race conditions
occur when the outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.
Locally Shared Objects (LSOs)
or Flash cookies, are data that is stored on a user's computer by websites that use Adobe® Flash® Player. A site may be able to track a user's browsing behavior through LSOs, causing a breach of privacy. Even if a user wipes tracking objects from their browser, LSOs may remain on their system.
input validation attack
passes invalid data to the application, and because the input handling on the routine is inadequate, it causes the application or even the OS to behave in an unexpected way.
Consequently, client-side validation is usually
restricted to informing the user that there is some sort of problem with the input before submitting it to the server. Even after passing client-side validation, the input will still undergo server-side validation before it can be posted (accepted). Relying on client-side validation only is poor programming practice.
the pointer has been
set to a null value (perhaps by some malicious process altering the execution environment), this creates a null pointer type of exception and the process will crash. Programmers can use logic statements to test that a pointer is not null before trying to use it.
Unreachable and dead code should be
should be removed from the application to forestall the possibility that it could be misused in some way. The presence of unreachable/dead code can indicate that the application is not being well maintained.
The main goal must be for the application not to fail in a way
that allows the attacker to execute code or perform some sort of injection attack.
Injection
the attacker embeds code within the input or appends code to it that executes when the server processes the submission.
Overflow
the attacker submits input that is larger than the variables assigned by the application to store it can cope with.
When an application is compiled
the compiler tests that the code is well-formed. Well-formed does not mean that the code will execute without errors, just that its syntax is compliant with the requirements of the programming language. For functional testing, code must be executed in its runtime environment
To perform DLL injection
the malware must already be operating with sufficient privileges (typically, local administrator or system privileges). It must also evade detection by anti-virus software. One means of doing this is code refactoring.
INPUT VALIDATION
the primary vector for attacking applications is to exploit faulty input validation. Input could include user data entered into a form or URL passed by another application or link. Malicious input could be crafted to perform an overflow attack or some type of injection attack. To mitigate this risk, all input methods should be documented with a view to reducing the potential attack surface exposed by the application. There must be routines to check user input, and anything that does not conform to what is required must be rejected.
Software Development Kit (SDK)
the programming environment used to create the software might provide sample code or libraries of pre-built functions. As with other third-party libraries or code, it is imperative to monitor for vulnerabilities.
Stack overflow
the stack is an area of memory used by a program subroutine. It includes a return address, which is the location of the program that called the subroutine. An attacker could use a buffer overflow to change the return address, allowing the attacker to run arbitrary code on the system. Two examples of this are the Code Red worm, which targeted Microsoft's IIS web server (version 5) and the SQLSlammer worm, which targeted Microsoft SQL Server® 2000.
Many arbitrary code attacks depend on
the target application having faulty memory management procedures. This allows the attacker to execute his or her own code in the space marked out by the target application. There are known unsecure practices for memory management that should be avoided and checks for processing untrusted input, such as strings, to ensure that it cannot overwrite areas of memory.
If cookies are used to store confidential information
the web application should encrypt them before sending them to the client. If using TLS, information in a cookie would be secure in transit but reside on the client computer in plaintext, unless it had been separately encrypted.
Another opportunity for malware authors to
to exploit these calls is the Windows Application Compatibility framework. This allows legacy applications written for an OS, such as Windows® XP, to run on Windows 10.
Another weakness is where cookies are used to establish
used to establish sessions in an application or for user authentication. Session IDs are often generated using predictable patterns (such as IP address with the date and time), making the session vulnerable to eavesdropping and possibly hijacking, by replaying the cookie to re-establish the session.
Code reuse
using a block of code from elsewhere in the same application or from another application to perform a different function (or perform the same function in a different context). The risk here is that the copy and paste approach causes the developer to overlook potential vulnerabilities (perhaps the function's input parameters are no longer validated in the new context).
Another issue is that an application's interpreter will
will default to a standard handler and display default error messages when something goes wrong. These may reveal the inner workings of code to an attacker. It is better for an application to use custom error handlers so that the developer can choose the amount of information shown when an error is caused.
Static code review techniques will not reveal
will not reveal vulnerabilities that might exist in the runtime environment, such as exposure to race conditions.
A limited input validation routine
would prevent the use of the string ../ and refuse the request.
APPLICATION AUDITING: These should take place when the application is first commissioned and when it is upgraded or at regular intervals thereafter to ensure that the application is not vulnerable to new threats.
• A design review will ensure that security is a requirement for the application. One of the design goals of a secure application should be to reduce the attack surface. The attack surface is all the ways that a user (including malicious users) can interact with the application. This includes ways that the application designer has foreseen, such as form fields and Application Programming Interfaces (API)—methods other applications can call—and those that they have not. As well as simplifying the application, it is also important to reduce the attack surface of the host OS and network. These should be set at the minimum configuration required to run the application. • A code review is an in-depth examination of the way the application is written to ensure that it is well written and does not expose the application to known input validation or injection attacks. • An architecture review will analyze the systems on which the application depends. This could include the underlying OS and database application, programming language and development environment, client platform (PC and/or mobile), browsers, and plug-ins, and so on.
A runtime environment will use one of two approaches for execution on a host system:
• Compiled code is converted to binary machine language that can run independently on the target OS. • Interpreted code is packaged pretty much as is but is compiled line-by-line by an interpreter. This offers a solution that is platform independent because the interpreter resolves the differences between OS types and versions.
The phases of the Agile model are:
• Concept—devise the initial scope and vision for the project and determine its feasibility. • Inception—identify stakeholders and support for the project and start to provision resources and determine requirements. • Iteration—prioritize requirements and work through cycles of designing, developing, testing, and test deploying solutions to the project goals, adapting to changing requirements, priorities, and resources as needed. • Transition—perform final integration and testing of the solution and prepare for deployment in the user environment. • Production—ensure that the solution operates effectively. • Retirement—deprovision the solution and any environmental dependencies.
During development, the code is normally passed through several different environments:
• Development—The code will be hosted on a secure server. Each developer will check out a portion of code for editing on his or her local machine. The local machine will normally be configured with a sandbox for local testing. This ensures that whatever other processes are being run locally do not interfere with or compromise the application being developed. • Test/integration—In this environment, code from multiple developers is merged to a single master copy and subjected to basic unit and functional tests (either automated or by human testers). These tests aim to ensure that the code builds correctly and fulfills the functions required by the design. • Staging—This is a mirror of the production environment but may use test or sample data and will have additional access controls so that it is only accessible to test users. Testing at this stage will focus more on usability and performance. • Production—The application is released to end users.
Secure development means that at each phase, security considerations are accounted for:
• Planning—train developers and testers in security issues, acquire security analysis tools, and ensure the security of the development environment. • Requirements—determine needs for security and privacy in terms of data processing and access controls. • Design—identify threats and controls or secure coding practices to meet the requirements. • Implementation—perform "white box" source code analysis and code review to identify and resolve vulnerabilities. • Testing—perform "black box" or "gray box" analysis to test for vulnerabilities in the published application (and its publication environment). • Deployment—ensure source authenticity of installer packages and publish best practice configuration guides. • Maintenance—ongoing security monitoring and incident response procedures, patch development and management, and other security controls.
It is important to be able to validate the integrity of each coding environment. Compromise in any environment could lead to the release of compromised code.
• Sandboxing—Each development environment should be segmented from the others. No processes should be able to connect to anything outside the sandbox. Only the minimum tools and services necessary to perform code development and testing should be allowed in each sandbox. • Secure baseline—Each development environment should be built to the same specification, possibly using automated provisioning. • Integrity measurement—This process determines whether the development environment varies from the secure baseline. Perhaps a developer added an unauthorized tool to solve some programming issue. Integrity measurement may be performed by scanning for unsigned files or files that do not otherwise match the baseline.
There are three principal exploits: BUFFER OVERFLOW
• Stack overflow— • Heap overflow— • Array index overflow—
Designing the trust relationships between these three parties is complicated:
• The merchant site could impersonate the end user to obtain publisher site services fraudulently. • The end user could exploit weaknesses in the merchant site to obtain unauthorized services from the publisher site.