Chapter 8 - Software Development Security
*Incremental Methodology
"Multi-waterfall" Allows developers to carry out multiple development cycles on a piece of software throughout its development stages. Each incremental phase results in a deliverable that is an operational product. Benefits: A working piece of software is available in early stages of development. It is more flexible than traditional waterfall. Early testing uncovers issues more quickly than waterfall. Delivery costs can be lower.
Steps in a Change Control Process
1) Make a format request for a change. 2) Analyze the request a. Develop the implementation strategy b. Calculate the costs of this implementation c. Review security implications 3) Record the change request 4) Submit the change request for approval 5) Develop the change a. Recode segments of the product b. Link the changes in the code to the formal change request c. Submit software for testing and QC. d. Repeat until quality is adequate e. Make version changes. 6) Report results to management
ActiveX
A Microsoft technology composed of a set of OOP technologies and tools based on COM and DCOM. It is a framework for defining reusable software components in a programming language-independent manner.
*Database
A collection of data stored in a meaningful way that enables multiple users and applications to access, view, and modify that data as needed.
*File
A collection of records of the same type
*Record
A collection of related data items
*Attribute
A column in a two-dimensional database
*Primary Key
A field that links all data within a record to a unique value.
*Remote Procedure Call (RPC)
A protocol that enables a process on one computer to call a process on another computer.
*Object-relational Database (ORD)
A relational database with a software front end that is written in an object-oriented programming language.
*Tuple
A row in a two-dimensional database
*Distributed Computing Environment (DCE)
A set of management services with a communication layer based on RPC. Client/server framework. Mainly Unix-based. Uses universal unique IDs (UUIDs). Provides an RPC service, security service, directory service, time service, and distributed file support.
*Change Management
A systematic approach to deliberately regulating that changing nature of projects, including software development projects. It is a management process that takes into account not just the technical issues, but also resources, project lifecycle, and even organizational climate.
*Session ID
A value sent by the client to the server with every request that uniquely identifies the client to the server or application. Session IDs shouldn't be predictable.
*View
A virtual relation defined by the data administrator in order to keep subjects from viewing certain data
*Regression Testing
After a change to a system takes place, retesting to ensure functionality, performance, and protection.
*Extreme Programming (XP)
Agile methodology. Pair programming. One programmer dictates the code to his partner who types it. Significantly reduces the incidence of error and improves overall quality of code.
*Kanban
Agile methodology. Stresses visual tracking of tasks so the team knows what to prioritize at what point in time in order to deliver the right features right on time.
*Rapid Prototyping
Allows the development team to quickly create a prototype to test the validity of the current understanding of the project requirements. Rapid Protoypes are discarded after they've served their purpose. Customer may not understand the impact of the small tweaks to prototypes.
*Java Database Connectivity (JDBC)
An API that allows Java application to communicate with a database. The application can bridge through ODBC or directly to the database.
*Open Database Connectivity (ODBC)
An API that allows an application to communicate with a database, either locally or remotely.
*ActiveX Data Objects (ADO)
An API that allows applications to access back-end database systems. Uses OLE DB interface to connect with database.
*Simple Object Access Protocol (SOAP)
An XML-based communication protocol used for sending messages between applications via the Internet. Supports applications running on different operating systems which were written in different languages.
*Foreign Key
An attribute of one table that is related to the primary key of another table.
*Rollback
An operation that ends a current transaction and cancels the current changes to the database.
*Attack Surface Analysis
Analysis during the design phase of the SDLC with the goal of identifying and reducing the amount of code and functionality accessible to untrusted users. Basic strategies: Reduce the amount of code running Reduce entry points available to untrusted users Reduce privilege levels as much as possible Eliminate unnecessary services
*Network Database Model
Built upon the hierarchical database model. Instead of being constrained by having to know how to go from one branch to another and then from one parent to a child to find a data element, the network database model allows each data element to have multiple parent and child records. Forms a redundant network-like structure instead of a strict tree structure. Allows for quick retrieval of data compared to hierarchical.
*Evolutionary Prototypes
Built with the goal of incremental improvement. Prototype isn't discarded (as with Rapid Prototyping) and is instead continually improved until it reaches the final production stage. These prototypes however are NOT intended to be used for production
*Data Dictionary
Central repository of data elements and their relationships.
Secure Programming Practices
Check input lengths to prevent buffer overflows Inspect code to prevent the presence of covert channels Check for proper data types Make sure checkpoints cannot be bypassed by users Verify syntax Verify checksums
*Hierarchical Data Model
Combines records and field data that are related in a logical tree structure. Hierarchical databases are useful for mapping one-to-many relationships. Based on X.500 standard. Almost always used with building indexes for relational databases. An index can be built on any attribute and makes for fast searches. Note: DNS servers use hierachical databases.
*Java Applets
Commonly run on web browser. Note: Java is platform independent because it creates intermediate code, bytecode, which is not processor specific. Bytecode runs on a Java Virtual Machine (JVM) which converts it into machine code.
*Unit Testing
Concerned with ensuring the quality of individual code modules or classes.
*Data Modeling
Considers data independently of the way the data are processed and of the components that process the data. A data model follows an input value from beginning to end and verifies that the output is correct.
Content-dependent vs Context-dependent Access Control
Content-dependent: based on the sensitivity of the information Context-dependent: software "understands" what actions should be allowed based upon the state and sequence of the request.
*Java Virtual Machine (JVM)
Creates a sandbox environment and converts bytecode into machine code. This sandbox sets strict limitations on a system's resources. This makes Java platform independent.
Database Language Components
Data definition language (DDL): Defines the structure and schema of the database. Data manipulation language (DML): Contains all the commands that enable a user to view, manipulate, and use the database Query language: Enables users to make requests of the database Report generator: Produces printouts of data in a user-defined manner.
*Object Linking and Embedding Database (OLE DB)
Database interface that separates data into components that run as middleware on a client or server. It provides a low-level interface to link information across different databases and provides access to data no matter where it is.
Statement of Work (SOW)
Description of the product and customer requirements.
*Object-oriented Database Model
Designed to handle a variety of data types (images, audio, documents, etc.).
*V-shaped Methodology
Development methodology which focuses on verification and validation at each coding phase. Follows a V structure, passing from high level to low level and requires testing throughout. Still very rigid, as with Waterfall.
Three Elements of Security Development Environments
Development platforms, code repositories, and the software configurations
Scope Creep
Deviation from SOW
*Java Platform, Enterprise Edition (Java EE)
Distributed computer model based upon Java. Defines a client/server model that is object oriented and platform independent. Main goal is to have a standardized method of implementing back-end code that carries out business logic for enterprise-wide applications.
*Spiral methodology
Emphasizes Risk Analysis. Good for large, mission critical projects. Made up of four main phases: Determine objectives, risk analysis, development and test, and plan the next iteration. These four phases are added to quadrants on a plane and the develop cycles outward. Angular aspect represents progress and radius of the spiral represents cost.
*Object Linking and Embedding (OLE)
Enables objects to be shared on a local personal computer and to use COM as their foundation.
*Acceptance Testing
Ensuring that the code meets customer requirements
Other Methodologies
Exploratory Methodology: Used when clearly defined project objectives have not been presented. Joint Application Development (JAD): Team and workshop oriented. Distinguished by its inclusion of members other than coders in the team. Reuse Methodology: Uses progressively developed code. Reusable programs are evolved by gradually modifying pre-existing prototypes. Cleanroom: Used for high-quality and mission-critical applications that will be put through a strict certification process.
*Operational Prototypes
Extension of the evolutionary prototype method where the final product IS used for production.
*Machine Language
Format that the processor can understand, represented in binary format. Most primitive form of programming.
*Third-generation Languages
High-level languages with abstract statements (IF-THEN-ELSE)
*Garbage Collector
Identifies blocks of memory that were once allocated but are no longer in use and deallocates the blocks and marks them as free.
*Failing Securely
In the event of an error, a system ought to be designed to behave in a predictable and noncompromising manner.
*Coupling
Indicates how much interaction one module requires with other modules to carry out its tasks. Want LOW coupling.
*Three Software Requirement Models
Informational Model: Dictates the type of information to be processed and how it will be processed Functional Model: Outlines the tasks and functions the application needs to carry out Behavioral Model: Explains the states the application will be in during and after specific transitions take place
Parameter Validation vs Input Validation
Input validation: User inputs a value that is then validated Parameter validation: An environmental variable defined by an application is validated.
*Maintenance Hook
Lines of code that allow developers to bypass security and access controls to gain access to software. These are usually used for development but can accidentally be left in production software.
*Assembly Language
Low-level programming language and is the symbolic representation of machine-level instructions. Assemblers convert assembly code into machine language.
*Two-phase Commit
Mechanism that is used to ensure the integrity of the data held within the database. Opposite of batch processing, in which all of the changes are put into a queue and activated all at once, not at the time the user makes the request.
*Object Request Broker (ORB)
Middleware that allows the client/server communication to take place between objects residing on different systems.
*Lightweight Directory Access Protocol (LDAP)
Most commonly used implementation of the hierarchical model. It is used in the Windows Registry structure and different file systems, but not commonly used in newer database products.
Default Issues
Most out-of-the-box implementations aren't secure due to usability focus from vendors. Need to be secured manually. What a security application or device is installed it should default to "No Access".
*Integrated Production Team (IPT)
Multidisciplinary development team with representatives from many or all the stakeholder groups. Often associated with Agile technologies. Also works well with JAD.
*Fifth-generation Languages
Natural Languages. Programs are created by defining constraints for achieving a specified result. Goal is for software to solve the problems itself.
*Common Object Request Broker Architecture (CORBA)
Open object-oriented standard architecture for non-Microsoft Environments. Provides interoperability among a vast array of software, platforms, and hardware.
*Commit
Operation that completes a transaction and executes all changes just made by the user.
Work Breakdown Structure (WBS)
PM tool used to define and group a project's individual work elements.
*Change Control
Part of change management. Process of controlling the specific changes that take place during the life cycle of a system and documenting the necessary change control activities. The change must be approved, documented, and tested.
Adequate Parameter Validation
Pre-validation: Input controls verifying data is in appropriate format and compliant with application specifications prior to submission Post-validation: Ensuring an application's output is consistent with expectations
*Design Phase (of SDLC)
Process used to describe how requirements will be met and the internal behavior of the software product. From a security perspective, the following should be accomplished: Attack surface analysis Threat modeling
*Component Object Model (COM) and Distributed Component Object Model (DCOM)
Proprietary to Microsoft. COM allows for interprocess communication within one application or between applications on the same computer system. DCOM supports the same model but on distributed systems. DCOM has been largely replaced by .NET framework.
*Rapid Application Development
Relies on rapid prototyping. Planning of how to improve the software is interleaved with the process of developing the software, which allows for software to be developed quickly. Allows for customers to be involved during the development phases so that the end result maps to their needs in a more realistic manner.
*Software Development Life Cycle (SDLC) - Five Stages
Requirements Gathering Design Development Testing Operations and Maintenance
*Privacy Impact Rating
Results from a privacy risk assessment during the requirements phase of the SDLC.
Three Types of Database Integrity
Semantic Integrity: Structural and semantic rules are enforced Referential Integrity: All foreign keys reference existing primary keys Entity Integrity: All entities are uniquely identified by primary keys
*User Story
Sentence that describes what a user wants to do and why.
*Database Management System (DBMS)
Software that provides access/view/modify capabilities, enforces access control restrictions, provides data integrity and redundancy, and sets up different procedures for data manipulation.
*Threat Tree
Strategy within Threat Modeling. A tree structure is created to map assets to vulnerabilities to threats to help the development team understand all of the was specific threats can be realized.
*Development Phase (of SDLC)
Takes software design from the previous phase and breaks it down into defined deliverables. Programmers develop code to meet the deliverable requirements. While security needs to be addressed at every phase of the SDLC, the development stage is the most critical
*Requirements Gathering (of SDLC)
Team examines the software's requirements and proposed functionality, engages in brainstorming, and reviews obvious restrictions. As it pertains to security, the following should be accomplished: Security Requirements Privacy Risk Assessment Risk-level Acceptance
*Static Analysis
Technique meant to help identify software defects or security policy violations which is carried out by examining the code without executing the program. Carried our BEFORE compilation and during the development phase.
*Fuzzing
Technique used to discover flaws and vulnerabilities in software by sending large amounts of malformed, unexpected, or random data to the target program in order to trigger a failure.
*Aggregation
The act of combining information to infer a result. Happens when a user does not have the clearance to access specific information be can access components of that information.
*Cohesion
The degree of relatedness of the tasks and data within a class. Want HIGH cohesion.
*Dynamic Analysis
The evaluation of a program in real time, when it is running. Generally conducted AFTER the code has passed the static analysis stage and basic programming flaws have been rectified offline. Occurs during testing phase. Effective for compatibility testing, detecting memory leakages, identifying dependencies, and for analyzing software without having to access the software's actual source code.
*DevOps
The practice of incorporating developers, members of operations, and quality assurance (QA) staff into software development projects to align their incentives and enable frequent, efficient, and reliable releases of software products. Increases trust and job satisfaction
Privilege Escalation
The process of exploiting a process or configuration setting in order to gain access to resources that would normally not be available to the process or its user.
*Agile Methodology
Umbrella term for several methodologies. Focuses on incremental and iterative development methods that promote cross-functional teamwork and continuous feedback mechanisms. "Lightweight". Focuses on user stories.
*Test Driven Development
Unit test module are built before the production software is even started. These tests drive the development of modules.
*Savepoint
Used to make sure that if a system failure occurs, or if an error is detected, the database can attempt to return to a point before the system crashed. Note: Having too many savepoints can degrade the performance of a system.
*Waterfall Methodology
Uses a linear-sequential lifecycle approach to software development. Each phase must be completed in its entirety before moving on. Very rigid. Can only be useful for small projects that have the requirements fully understood.
*Relational Database Model
Uses attributes (columns) and tuples (rows) to contain and organize information. Mosts widely used today.
Secure Coding Best Practices
Validate inputs Heed compiler warnings Architect and design for security policies Keep it simple Default deny Adhere to the principle of least privilege Sanitize data sent to other systems Practice defense in depth Use effective QA techniques Adopt a secure coding standard
*Verification vs Validation
Verification: Determines if the product accurately represents and meets the specifications Validation: Determines if the product provides the necessary solution for the intended real-world problem.
*Integration Testing
Verifying that the components work together as outline in the design specification
*Fourth-generation Languages
Very high-level languages with highly abstract algorithms that allow straightforward programming implementation.
*Scrum
Very lean and focused Agile methodology focusing on collaboration, customer involvement, and continuous delivery. Incorporates Sprints, which are fixed-length software development cycles which promise specific deliveries.
*Service Oriented Architecture (SOA)
Web-based approach to distributed computing. Provides standardized access to the most needed services to many different applications at one time. Service interactions are self-contained and loosely coupled, so that each interaction is independent of any other interaction. Separate functions into loosely coupled, abstracted, reusable, stateless modules.
*Checkpoint
When the database software fills up a certain amount of memory, a checkpoint is initiated, which saves the data from the memory segment to a temporary file. If a glitch is experienced the database will use this information to restore the user's working environment.
*Testing Phase
While testing will be carried out during the development phase, this phase will have formal tests which are conducted by someone other than the developer. This is an example of separation of duties. This phase also sees security attacks and penetration tests. Note: A developer should never have access to modify code used in production. The code should be tested, submitted to a library, and then sent to the production environment.