Security + Chapter 11: Managing Application Security
Embedded System Constraints
- Network: are not scalable, some can only communicate through Wi-Fi or Bluetooth and are short range. Difficult to transfer data from one to another. - Crypto: PKI needs at least a 32-bit processor, and these are limited to 8 or 16, so you will need significant overhead when trying to authenticate which may be very slow. - Hardware Upgrade/Patching: most devices can't have their hardware upgraded and some do not have ability to patch; some vendors don't produce patches. - Cost: mainly customized, and when the new product is released, the cost of purchase is outside the range of normal users - Implied Trust: when you purchase, you need to hope that there is implied trust, where the system operates as described because you may not be able to troubleshoot devices.
Open Web Application Security Project (OWASP)
An international, not-for-profit organization that provides an up-to-date list of the most recent web application security concerns. They rely on donations to exist. They provide resources like tools, community and networking, education and training. Run seminars all over the world for the security of web, cloud, mobile apps, and software development and maintenance.
Arduino
An open source programmable microprocessor/microcontroller. Boards are programmable through a USB. They are able to read inputs whether it be a light on a sensor, or an activity like turning on a LED, publishing something online, or activating a motor. Can be run from a 9-volt battery and can be used to control electronic components. It has shields which allow you to add wireless or Bluetooth to it so it can be used to build a robot.
Application Security: Secure Cookies
Cookies are used by web browsers and contain information about a session. They can be stolen by attackers to carry out session hijacking attacks. One can set the secure flag on the website to ensure that cookies are only downloaded when there is a secure HTTPS session.
Secure Coding Techniques: Memory Management
Developers must control how much memory their code consumes as it can create performance issues. Memory leaks are when apps consume more memory than they need and, over time, starve other apps of memory they need.
Application Security: Dynamic Code Analysis
Developers run code locally and then use a technique called fuzzing, where a random input is inserted into the application to see what the output will be. White box pen testers use fuzzing to see the flaws and weaknesses in an app before it is rolled out to prod.
Industrial Control System (ICS)
Encompasses several types of control systems and instrumentation used for industrial process control. Used for water, telecommunications, health, chemicals and pharmaceuticals, water supply and treatment.
Secure Coding Techniques: Use of Third-Party Libraries
Many third-parties have code libraries that may not be perfect, but offer a fast way for a business to get mobile apps to market. Many are from Android and JavaScript.
Integrity Measurement
Measuring the integrity of the application is done to ensure it performs as it should and conforms to data industry standard and regulations. Before the app is written, a third-party coding expert should carry out regression testing to confirm there are no flaws in the code. Test that security features are safe and no vulnerabilities exist. If anything is found out of the ordinary, they should be addressed quickly.
Secure Coding Techniques: Data Exposure
One should limit the amount of data allocated to a user who is using an application, and should also use input validation and DLP to protect the data.
Application Security: Allow List
Only allows explicitly allowed apps to run. This can be done by setting up an application whitelist. Firewalls like pf-sense can have an allow list.
Secure Coding Techniques: Stored Procedure
Pre-written SQL script that is saved in the database. Attackers can't modify these scripts.
Continuous Delivery
Process of fixing bugs before the app moves into production. Happens during the staging phase.
Continuous Deployment
Process of pushing out new updates into production software, like patching.
Continuous Integration
Process where multiple software developers consolidate and test the code that they write to ensure the different input codes do not conflict. Performed during development and testing phases.
Production
Prod environment is where the app goes live, and end users have the support of the IT team. End users will be asked to give feedback if the app has any problems that were not picked up beforehand.
Databases: Salting
Salting passwords in a database means we take the password stored in the DB and add randomized numbers to it to increase the compute time for a brute-force attack.
Endpoint Protection: Anti-Malware
Scans computer for adware and spyware and prevents malicious software from running. These can't be protected by anti-virus programs.
Narrow-Band
Short-range, wireless applications that are used with radio frequency identification (RFID) or keyless vehicle entry products.
Hardware Security Module (HSM)
Similar to a TPM chip, except it is removable. The Key Escrow uses an HSM to store and manage private keys, but smaller ones can be used for computers.
Provisioning and Deprovisioning
The concept of application provisioning is the life cycle of designing, preparing, creating, and managing the applications, and ensuring there are no flaws in the security before release. Deprovisioning is when an application meets its end of life and is removed and data is migrated to the new system or disposed of, ensuring it's done so in accordance with local regulations.
Multifunctional Printers (MFPs)
The weakness of MFPs is they all have a network interface and could be attacked through it. Any default settings or passwords must be changed.
Application Security: Static Code Analyzers
These allow code to be executed inside this tool instead of run locally. It then reports any flaws or weaknesses.
Application Security: HTTP Headers
These are designed to transfer information between the host and the web server. An attacker can carry out a XSS attack as it is mainly delivered through injecting HTTP response headers. This can be prevented by entering the HTTP Strict Transport Security (HSTS) header which ensures the browser will ignore all HTTP connections.
Zigbee
These chips are integrated with microcontrollers and radios. They are powered by battery as they are low cost and low power. Examples of use include Abode smart security system, Bosch security systems, and Honeywell thermostats.
Application Security: Block List/Deny List
These prevent explicitly blocked apps from being set up by using a blacklist to prevent banned apps from running. Firewalls like pf-sense can have a block list.
Hardening: Operating System
To harden the OS, it must have the latest patches and updates. Subscribing to security bulletins from the vendor helps to get updates when new patches are released.
Full Disk Encryption (FDE)
Uses X509 certificates to encrypt full disks, but needs a TPM chip on the motherboard to store the keys. If it thinks the drive has been tampered with it will lock it and require a 48-character key to unlock it. - TPM Chip: Stored on motherboard and is used to store the encryption keys so when the system boots up, it can compare the keys and ensure the system has not been tampered with. - Hardware Root of Trust: When the certificates for FDE are used, they use a hardware root of trust that verifies the keys match before the secure boot process takes place.
Software Development Life Cycle (SDLC)
- Waterfall Model: older version of SDLC where each stage is completed before the next commences (also known as cascade model) - Agile Model: newer, faster, more flexible model where several stages of development can occur simultaneously. It is customer focused. Each part of the project is called a sprint.
Field Programmable Gate Array (FPGA)
A chip that can be configured by the user for a specific purpose. As close to creating your own chip as you can get. Takes code and stores it in multiple hardware blocks which contain register and logic units. Has no function at all and no processor which makes it very flexible. Also are super fast because they have Gbps capability with built-in transceiver and serial decoding.
Application Security: Code Signing
A code-signing certificate is procured which allows one to digitally sign scripts and executables to verify their authenticity and to confirm that they are genuine.
Raspberry Pi
A credit card size computer that allows you to run program languages such as Python or Scratch. Can be plugged into a monitor or computer.
Unified Extensible Firmware Interface (UEFI)
A modern version of the BIOS that is more secure and is needed for a secure boot of the OS. The BIOS can't provide a secure boot.
Endpoint Protection: Host Intrusion Detection System (HIDS)
A passive device that monitors patterns in the behavior of a computer system. Uses a database that contains the settings for a computer, including the registry, critical system files, applications, and components. Its function is to alert the user to any discrepancies or attacks.
Application Programming Interface (API)
A set of software routines that allows one software system to work with another. Created to allow systems to be programmed to talk to one another. Using a compiler to obfuscate API methods will make it harder for attackers to reverse engineer the code.
Endpoint Protection and Response (EDR)
An advanced solution that is better than antivirus/anti malware. It's a centralized console that continuously monitors the computer and makes automatic alerts when a threat is detected. It uses machine learning to detect threats and can detect file-less viruses.
Endpoint Protection: DLP
An endpoint DLP solution can be set up so it can protect data on computer from being stolen by using email or a USB drive. It can also protect any data that has a pattern match, such as PII or sensitive data.
System on a Chip (SoC)
An integrated circuit on a microchip that connects the functionality of a computer on a small microchip. Life support devices use this.
Endpoint Protection: Host-Based Firewall
Can be used to prevent unauthorized access to the desktop and can set up permitted rules for approved applications. Acts as an additional layer of protection to the computer by controlling the traffic coming into it.
Medical Devices
Can include infusion devices that measure fluids that are given to patients in hospitals, and defibrillators which ambulances carry and are used to save a person's life. Defibrillators will have an SoC installed as it gives out instructions on how to use it, but if it detects a pulse, it will not send a charge.
Secure Coding Techniques: Code Reuse/Dead Code
Code reuse is when developers keep old code stored in code libraries and reuse it for another application and make modifications as necessary. Dead Code is code that is never executed but it consumes resources and should be removed.
Internet of Things (IoT)
Comprises small devices like ATMs, small robots, wearable tech that can use an IP address and connect to the internet-capable devices. Must change default usernames/passwords for these devices.
Application Security: Fuzzing
Developers input random info into an application to see whether the app crashes or causes memory leaks or error info to be returned.
Secure Coding Techniques: Normalization
Each DB has tables with rows and columns and data may be retained in multiple places. Goal of normalization is to reduce and eliminate the redundancy to make fewer indexes per table and make searching much faster.
Secure Coding Techniques: Proper Error Handling
Errors sent back to users should be as short and generic as possible so attackers have very little information to use and launch further attacks. However, errors logged should have as much detail as possible so the security admins know why the error occurred.
Measured Boot
First adopted in Windows 8. All components from firmware to applications/software are measured and this info is stored in a log file. Log file then stored in Trusted Platform Module (TPM) chip on motherboard. Anti-malware can use this info to ensure when system boots, software is trustworthy. The log can be sent to remote server that can assess health status of host.
Development
First stage of developing an app is to use the most secure programming language for the task at hand. App will go through different versions and developers before it's complete. Version numbers are used to track this.
Automated Courses of Action
For example, automating courses of action like a NIDS will detect threats and the NIPS will prevent the threat from happening.
Embedded System
Has its own software built into the device hardware. Some are programmable, some are not. Some have no update mechanism which makes them vulnerable to attack. These are found in consumer products used for health monitoring, automotive, medical, and household products.
Endpoint Protection: Next Generation Firewall
Has the ability to act as state full firewall by carrying out deep packet filtering. Also inspects app traffic to ensure it is legitimate and uses whitelisting to ensure only approved apps are allowed to run. Can also act as IPS device to protect against attacks and can inspect encrypted SSL and HTTPS packets.
Early Launch Anti-Malware
In a Windows computer, this tests all drivers that are being loaded and prevents rogue drivers from loading.
Secure Coding Techniques: Proper Input Validation
Input validation is controlled by using either wizards or web pages. If data is not input in the correct format, it will not be accepted. On web pages, input validation lists errors in red at top of page with incorrect entries. This prevents SQL injection, integer and buffer overflow attacks.
Endpoint Protection: Anti-Virus
Monitors websites that are being visited and files that are being downloaded to ensure they aren't infected. Most solutions also have the ability to carry out anti-malware.
Real-Time Operating System (RTOS)
More reliable than desktops or servers as they are normally used for real-time apps since they process data immediately, thereby preventing buffering and buffer overflows. If a task or process does not complete within a certain time, the process will fail. These could be used for military systems or where robots are being used in production to ensure that processes are completed quickly.
Secure Boot and Attestation
OSs can perform a secure boot at startup where it checks that all drivers have been signed. If they haven't, boot sequence fails because integrity of system has been compromised. This can be coupled with attestation, where integrity of the software has been confirmed. Example is using FDE like Bitlocker to ensure software hasn't been tampered with. BitLocker keys stored on TPM chip.
Secure Coding Techniques: Obfuscation/Camouflage
Obfuscation is the process where you take source code and make it look obscure, so if it was stolen, it would not be understood. - Example 1: Exclusive OR (XOR) is a binary operand from Boolean algebra. This operand compares two bits and will produce one bit in return. - Example 2: ROT 13 is a variation of the Caesar Cipher. There are 26 letters in the alphabet, and it rotates the letters 13 times, so A would equal N and vice versa.
Drones
Or unmanned aerial vehicles (UAV). Military can use drones to carry out surveillance on areas that are too dangerous to send people and can also be armed to carry out attacks. They have embedded systems as well.
Hardening: Open Ports and Services
Ports used by apps are endpoints for connections. Each app or protocol will use different port numbers. When an OS is installed, some ports are open and unused ports must be closed on the host-based firewall. In Windows, the netstat command is used to find open ports and the netstat -ano command is used to close the ports not being used. Also in Windows, you can search for services.msc to see what services are running and disable the ones you don't need.
Databases: Stored Procedures
Prewritten SQL scripts that are saved in SQL databases which prevents manipulation of SQL statements and SQL injection attacks.
Subscriber Identity Module (SIM) cards
Small computer chips that contain your information that allows you to connect to your telecoms provider to make calls, send texts, or use internet.
Endpoint Protection: Host Intrusion Prevention System (HIPS)
Software program that can be installed on a host to protect it from attack. It analyzes the behavior of a computer and looks for anything suspicious in log files and memory. Takes appropriate action to prevent attacks like malware.
Testing
Software testers ensure the functionality of the program fulfills the specifications. May also employ a secure coding freelancer to carry out regression testing to ensure that app is fit for production.
Luxury Vehicles
Some have embedded systems that produce a wireless hotspot in the car so that passengers can connect to the internet. Others have ability to self-park. Vendors are still trying to perfect self-driving cars.
Databases: Tokenization
Takes sensitive data such as a credit card number and replaces it with random data. It is stronger than encryption and can't be reversed. This can help companies be compliant with PCI-DSS and HIPAA, has ability to replace protected health information, e-PHI, and Non Public Personal Information (NPPI).
Self-Encrypting Drives (SEDs)
The OPAL storage specification is the industry standard for self-encrypting drives. This is a hardware solution which outperforms other encryptions because they are software solutions. They don't have the same vulnerabilities as software which makes them more secure. The SEDs are Solid-State-Drives (SSDs) and are already set to encrypt data at rest when purchased. These have a security mechanism allowing the drive to be locked in order to prevent unauthorized users from accessing the data. Only computer user and vendor can decrypt the drives. Encryption keys are stored on hard drive controller which makes them immune to a cold boot attack. Also compatible with all OSs.
Hardening: Registry
The registry is a database of all the settings on your computer and gaining access to this can allow someone to cause damage to the computer. If a change is made to a control, that change is reflected in the registry. There are a group of settings, called hives, and five main hive keys. The Docker tool allows you to isolate apps into containers. The registry can also be isolated in a container, making it more secure.
Supervisory Control and Data Acquisition (SCADA)
These systems are automated control systems that can be used for water, oil, or gas refineries, or industrial and manufacturing facilities, where there are multiple phases of production. A network firewall prevents unauthorized access to the network, then an NIPS is used as additional layer. If segmentation is required, VLANs could be used internally. No difference than protecting a corporate network.
Surveillance Systems
These systems can check cameras, speak to those on camera, automate lights, and set alarms, all from a smart phone. Usually are networked and video footage can be used for legal purposes. Can be attacked from internet and attacker could steal the info they contain. Must immediately change default username/passwords.
Secure Coding Techniques: Software Developer Kits (SDKs)
This is a set of software developer tools that a vendor creates to make application development easier. Like Microsoft's Windows 10 SDK which provides latest headers, libraries, metadata, and tools for building Windows apps.
Continuous Monitoring
This is to log any failures by the app so that steps can be taken to remedy them.
Hardening: Patch Management
This is where cyber security teams obtain updates from vendors. They test the updates on a sandboxed computer to ensure it will not cause any damage to OS or apps. Once testing is complete, they can be set up to auto update your OS and others. Microsoft's WSUS server has the ability to roll out vendor updates and third-party updates.
Baseband Radio
Used for audio signals over radio frequency, for example, when truck drivers go onto a specific channel to talk to another truck driver.
Databases: Hashing
Used to index and fetch items from databases that contain large amounts of data which makes the search faster because the hash key is shorter than the actual data. The hash values are stored in a data bucket, which is a memory location where records are stored. A data bucket is also known as a unit of storage.
Smart Meters
Used to show the amount of electricity or gas that someone is using which helps reduce energy bills.
Heating, Ventilation, and Air Conditioning (HVAC)
Very important for server rooms and server farms as they regulate temperature. Data centers have isles where cold air comes in and that faces the front of the servers while the rear of the servers face each other and push hot air out. The hot air escapes through chimneys. Critical systems can fail if the temperature gets too hot. Security teams can also see whether offices are occupied according to the HVAC system usage register.
Secure Coding Techniques: Server-Side vs. Client-Side Execution and Validation
Website code will either run as server-side code or client-side code. - Server-Side (backend): this validation is where the user's input is sent to the server, where it is validated and then response is sent back to the client. Programming languages like C# and .NET are server-side. This one takes much longer and can use input validation to check the input is valid and to stop the attacker in their tracks. - Client-side (frontend): validation is done locally on the client so there is no network traffic. Script languages such as JavaScript, VBScript, or HTML5 attributes are used for this validation on the browser side. This one is much quicker but an attacker can exploit the JavaScript and bypass the client side.
Software Diversity
Where a developer can take code and obfuscate it with a compiler so an attacker cannot reverse engineer the code, allowing them to find vulnerabilities.
Application Security: Manual Code Review
Where a developer reads code line by line to ensure it is written properly and that there are no errors. This is very tedious and time consuming.
Application Security: Input validation
Where data is entered either using a web page or wizard. Both are set up to only accept data in the correct format within a range of minimum and maximum values. Controlling data input this way is vital to protecting applications from buffer and integer overflow and SQL injection attacks.
Automation/Scripting
Where processes are set up to carry out tasks automatically without the need for human intervention using either scripts or a GUI. Scripts are precompiled instructions that are automatically launched when activated. This leads to fewer errors than carrying out tasks manually, where humans make mistakes.
Staging
Where quality assurance is ensured before software is rolled out to production. Test new app with real data in a sandbox so end users can confirm it's fit for its intended purpose and all reports they need are available. Then the app is signed off as being fit for purpose and quality assurance of the product is fulfilled.
Continuous Validation
Where the application is tested to make sure it is fit for purpose and fulfills the original specification.
Application Security: Secure Coding Practices
Where the developer(s) that create software ensures that there are no bugs or flaws, so they can prevent attacks like buffer overflow and integer injection.
Secure Coding Techniques: A Race Condition
Where two instructions from different threads try to access the same data at the same time. The threads should've been programmed to access the data sequentially.