Application Security
1
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Introduction
This domain addresses the important security
concepts that apply to the software application
development.
• The environment where software is designed
and developed
• The critical role software plays in providing
security to the information system.
2
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Objectives
The CISSP should understand:
• The principles for securing applications
throughout the lifecycle management process.
• Change control
• Data warehousing, data mining, & knowledgebased systems
• Program interfaces
• Concepts used to ensure application availability,
integrity and confidentiality.
3
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Objectives (cont.)
The CISSP should be able to:
• Define the application software design
engineering principles
• Identify the various types of malicious software
– How malicious software can be introduced
into the computing environment
– Protection mechanisms that can be used to
prevent, detect, and correct malicious
software attacks.
4
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Availability
•
•
•
•
Programs
Data
Processing
Resources
– Bandwidth,
memory, disk
space, mail
queues, etc.
Availability
5
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Integrity
•
•
•
•
Programs
System
Data
Trust relationships
– Formal (technical trust
between subnets and
domains)
• Informal (social relations
between partners,
customers, and clients)
Availability
6
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Confidentiality
• Direct loss
(backdoors, viruses,
etc.)
• Indirect loss
(Consequential
damage due to
unauthorized
disclosure of
confidential
information, etc.)
Availability
7
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Applications Environment
Database and Data Warehouse Environment
Environment Threats
System Life Cycle
Software Development Methods
Programming Languages
Object Oriented Technology
Software Protection Mechanisms
Web Application Environment
Assurance Mechanisms
8
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Section Objectives
• Describe the applications environment
• List the benefits of a database management
system (DBMS)
• List examples of DBMS Models
• Define lock controls
• Describe online transaction processing (OLTP)
• Describe data warehousing
• List application environment threats
9
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Applications Environment
• Operating system (O/S)
–First layer of software
• Two objectives of O/S
–Control use of system resources
–Provide a convenient, easy-tounderstand view of the computer to
users
10
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Applications Software
• Comprised of programs, processes,
utilities, drivers, etc to provide user
functionality and support business
activities.
• Allows users to execute and perform
computerized tasks.
11
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Applications Environment
Database and Data Warehouse Environment
Environment Threats
System Life Cycle
Software Development Methods
Programming Languages
Object Oriented Technology
Software Protection Mechanisms
Web Application Environment
Assurance Mechanisms
12
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Database Management
Systems
• Databases - developed to manage
information from many sources in one
location.
– Eliminates the need for duplication of
information in the system.
– Preserves storage space.
– Prevents inconsistency in data by
making changes in one central location.
13
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Major Elements
•
•
•
•
Database
Hardware
Software
Users
14
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
DBMS Should Provide:
•
•
•
•
Transaction persistence
Fault tolerance and recovery
Sharing by multiple users
Security controls
15
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
DBMS Models
• Hierarchical Database Management
Systems
• Network Database Management Systems
• Relational Database Management
Systems
• Object-Oriented Database Management
Systems
• Object-Relational Database Management
Systems
16
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Hierarchical DBMS
• Stores records in a
single table.
• Uses parent/child
relationships.
• Limited to a single
tree
• Unable to link
between branches or
multiple layers.
17
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Network DBMS
• Represents data as network of records and sets
that are related to each other, forming a network
of links.
– Record types - records of the same type
– Set types - relationship between record types
18
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Relational DBMS
• Most frequently used DBMS model.
• Data are structured in tables.
– Columns represent the variables
(attributes).
• “Atomic” - every row/column position is
always exactly one data value and never a
set of values.
– Rows contain the specific instances
(records) of data.
19
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Relational DBMS (cont.)
20
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Relational DBMS (cont.)
• Data within the Database
– Consists of individual entities
– Entities are linked by relationships
– The DBMS describes the relationship
between the data elements and
provides the framework for organizing
the data
21
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Primary Key
• Uniquely identifies each row and
assists with indexing the table by the
DBMS.
– Entity Integrity :
• Tuple cannot have a null value in the
primary key.
• Guarantees that the tuple is uniquely
identified by the primary key value.
22
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Foreign Key
• An attribute or combination in one table
whose value must match those of a
primary key in another table. It helps link
(join) tables together.
– Referential integrity
• For any foreign key value, the reference relation
to another table must have a tuple with the
same value of the other table’s primary key.
• A null value in the foreign key prevents a join.
23
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Relational DBMS
24
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Relational Database Security
Issues
• Ensuring integrity of input data.
• Preventing deadlocking (stalemate
when 2 or more processes are each
waiting for the other to do something
before they can proceed)
• Access controls ensuring only
authorized users are performing
authorized activities.
25
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
OODBMS & ORDBMS
• OODBMS (Object Oriented Database
Management System)
– Supports the modeling and creation of data as
objects
• ORDBMS (Object Relational Database
Management System)
– most commonly implemented as a relational
DBMS with an object-oriented interface
26
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Database Interface Languages
• Standardized access methods that
provide an interface to the database.
• Examples include:
– Open Database Connectivity (ODBC)
– Object Linking and Embedding (OLE)
– ActiveX Data Objects (ADO)
– Java Database Connectivity (JDBC)
– eXtensible Markup Language (XML)
27
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Database Security Issues
• Inference
• Aggregation
• Unauthorized
Access
• Improper
Modification of
Data
• Access Availability
• Database Views
• Query attacks
• Bypass attacks
• Interception of
data
• Web Security
• Data
contamination
28
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Data Warehouse
• Consolidated view of enterprise data,
optimized for reporting and analysis.
• Designed to support decision making
through data mining.
• “Data mart” is a more focused and
specialized data repository meeting the
specific demands of a particular group or
department.
29
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Data Warehouse
Suppliers,
Distributors
Various Databases
Customer
Data Warehouse
BEFORE
Employees
30
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Building Data Warehouse
1. Feed all data into large, high-security
database.
2. Normalize the data.
3. Mine the data for correlations to produce
metadata.
4. Sanitize and export the metadata to its
intended users.
5. Put all new incoming data into the data
warehouse.
31
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Data Warehouse (cont.)
32
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Metadata
• Information about data.
• A systematic method for describing
resources and improving the retrieval
of information.
• Provides:
– Valuable information on unseen relationships
between data.
– Ability to correlate data that was considered
unrelated.
33
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
DBMS Controls
Subtopics
• Lock Controls
• Online Transaction Processing
(OLTP)
• View-Based Access Controls
• Knowledge Management
34
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Lock Controls
• Used to control read and write access
to specific rows of data in relational
systems, or objects in object-oriented
systems.
• Locks ensure only one user at a time
can alter data.
• Better programming logic and testing
reduce deadlocking problems.
35
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Lock Controls - the ACID Test
• Atomicity
– either all changes take effect or none do.
• Consistency
– a transaction is allowed only if it meets
owner/system-defined integrity constraints.
• Isolation
– the results of the transaction are not visible until
the transaction is complete.
• Durability
– a completed transaction is permanent.
36
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Online Transaction Processing
(OLTP)
• Records transactions as they occur in real-time.
• Security concerns are concurrency
and atomicity.
– Concurrency controls ensure that two
users cannot simultaneously change the
same data.
– Atomicity ensures that if one step fails,
then all steps should not complete.
37
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
OLTP Systems Should:
• Detect when individual processes abort.
• Automatically restart an aborted
process.
• Back out of a transaction if necessary.
• Have transaction logs record information
on a transaction before it is processed,
then mark it as processed after it is
done.
38
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
View-Based Access Controls
• Security achieved through the
appropriate use of ‘views.’
– Allows the database to be logically
divided into pieces - sensitive data is
hidden from unauthorized users.
– Controls are located in the front-end
application that the user interfaces with
and not the back-end query engine.
39
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Knowledge Management
• In order for data to be helpful, it must
have meaning.
• The interpretation of data into
meaning generates knowledge.
• To automate the process, knowledgebased systems are used.
40
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Knowledge Management
• Knowledge Discovery in Databases
(KDD)
– methods of identifying valid and useful
patterns in data.
– an evolving field of study to provide
automated analysis.
• Some KDD methods use artificial
intelligence (AI) techniques
41
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Knowledge Management
Main approaches:
• Probabilistic Approach
– Based on probabilities and data
interdependencies
• Statistical Approach
– Uses rule discovery and is based on data
relationships
• Classification Approach
– Groups data according to similarities
42
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Knowledge Management (cont.)
• Deviation and Trend Analysis
– uses filtering techniques to detect
patterns.
• Neural Networks
– organizes data into nodes that are
arranged in layers, and links between
the nodes have specific weighting
classifications.
43
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Knowledge Management (cont.)
• Expert System Approach
– uses a knowledge base and a set of
algorithms and/or rules that infer new
facts from knowledge and incoming data.
• Hybrid Approach
– combination of more than one approach
that provides a more powerful and useful
system.
44
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Knowledge Management
Security Controls
• Protect knowledge database the same as
you would any other database.
• Routinely verify decisions based on
expected outcomes.
– If output seems suspicious, perform
additional and different queries.
• Ensure all changes to rules go through a
change-control process.
• Develop a baseline of expected
performance.
45
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Applications Environment
Database and Data Warehouse Environment
Environment Threats
System Life Cycle
Software Development Methods
Programming Languages
Object Oriented Technology
Software Protection Mechanisms
Web Application Environment
Assurance Mechanisms
46
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Application Environment Threats
• Object reuse
– An object may contain sensitive residual data
• Garbage collection
– De-allocation of storage following program
execution
• Trap doors/back doors
– Hidden mechanisms that bypass
authentication measures
– Could enable unauthorized access
47
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Threats (cont.)
• Buffer Overflow
– The process of exploiting a program
weakness by sending long strings of
input data to a system that is not
prepared to truncate it through proper
bounds checking.
– Developers should take this type of
vulnerability into account when
developing and testing programs.
48
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Threats (cont.)
• Denial of Service
– The result of another person or process
consuming the resources on the system and
thus denying the resources for the use of
others.
– When testing programs, test for how the
application would respond to a DoS attack.
49
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Threats (cont.)
• Time of Check/Time of Use
(TOC/TOU)
– When control information is changed between
the time that the system security functions
check the contents of the variables and when
the variables are actually used.
• Malformed input attacks:
– SQL Injection – inserting a series of SQL
statements into a 'query' by manipulating data
input into an application
50
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Threats (cont.)
• Executable Content/Mobile Code
– Code that is downloaded to the user’s
machine and executed.
– Running programs on a computer may give
the program unexpected access to resources
on the machine.
– Examples include:
• Web applets - mini programs written in
Java that are automatically loaded and run.
• Dynamic email - active scripts/messages
are included in email messages.
51
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Threats (cont.)
• Incomplete Parameter Check and
Enforcement
• Covert Channels
• Inadequate Granularity of Controls
• Social Engineering
• Multiple Paths to Information
52
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Malware and Viruses
Malicious Software Definition:
• Software or programs intentionally designed to
include functions for penetrating a system,
breaking security policies, or to carry malicious
or damaging payloads.
• Programming bugs or errors are not generally
included in the topic
• Backdoors, data diddlers, DDoS, hoax
warnings, logic bombs, pranks, RATs, trojans,
viruses, worms, zombies, etc.
53
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Network Aware
Modern malware is network aware.
– New means of spread
– New methods of attack
– New payloads
54
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Network Aware
Example: SQL Slammer
Source – www.caida.org
9:30PM (PST)
9:40PM (PST)
• ~100,000 hosts infected in ten minutes
• Sent more than 55 million probes per second world wide
• Collateral damage: Bank of America ATMs, 911 disruptions,
Continental Airlines cancelled flights
• Unstoppable; relatively benign to hosts
© Copyright 2005 (ISC)2® All Rights Reserved.
55
Application Security v5.0
Malware
Compatible – Platform Dominance
• Intel / BIOS hardware
• MS Windows operating systems
• Linux operating systems
• MS Office applications
• MS email and Web applications
56
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Malware Functionality
• MS Office macros
• MS Windows Script Host (.vbs)
• ‘Active’ Web content
– HTML, VBScript, Jscript++, etc.
• Viruses, etc. can carry source code
57
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Malware Types
•
•
•
•
•
•
•
Virus
Worm
Hoax warning
Trojan
Logic bomb
Data diddler
Backdoor
• RAT (Remote Access
Trojan)
• DDoS (Distributed
Denial of Service)
zombie
• Prank
• Spyware / Adware
• Botnets
Many modern malware programs cross boundaries,
combining more than one type of function
58
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Malware Types - Virus
• Central characteristic is reproduction
• Generally requires some action by the
user
• May or may not carry payloads
• Payload may or may not be damaging
59
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Virus Types
• File infector
• Boot sector
infector
• System infector
• Email virus
•
•
•
•
Multipartite
Macro virus
Script virus
Hoax
60
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Malware Types - Hoax
• Uses users rather than
programming
• ‘Meme’ or mind virus, social
engineering
• Usually warns of a ‘new virus’
• Can be a bigger problem than
viruses themselves
61
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Virus Anti-Detection
• Stealth
– General reference to all forms of antidetection technology
• Tunneling
• Polymorphism
• Antivirus (anti-malware) disabling
62
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Virus Structure
• Infection / reproduction
• Target search
• Infection
• Payload trigger
• Payload
63
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Malware Types - Worm
• Reproduces
– Generally uses loopholes in
systems
• Does not involve user
– Often attacks server software of
some type
64
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Malware Types – Trojan Horse
• Purported to be a
positive utility
– Hidden negative
payload
– Social engineering
65
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Malware Types – Logic Bomb
• Generally implanted by an insider
• Waits for condition or time
• Triggers negative payload
66
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Malware Types – Data Diddler
• Payload in a Trojan or virus that
deliberately corrupts data,
generally by small increments
over time
67
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Malware Types – Backdoor,
Trapdoor
• Implanted intentionally in
development, or by error, usually
by an insider
• Maintenance hook (may have
been deliberate and useful)
• Also bug / loophole / wormhole
68
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Malware Types – RAT
• Installed, usually remotely, after
system installed and working, not
in development
– Trojan vs. tool
– Rootkits require working account,
RATs generally don’t
69
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Malware Types – DDOS Zombie
• Expands effect of denial of
service.
–Middle of master / attacker – agent
– target structure.
–Hides attacker, multiplies attack.
70
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Malware Types - Prank
• Intended as humor, not malice
– Could still cause problems
• ‘Joke’ screen could cover important
alert message
– Easter eggs
• Cause file bloat, disk consumption
• Code checking more complex
71
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Malware Types – Spyware and
Adware
• Intended as marketing, not malice
• Installed with other software
– As a separate function or program
• Generates unwanted or irrelevant
advertising
• Reports on user activities
– possibly other installed programs,
possibly user surfing
72
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Malware Types – BotNets
• Networks of infected machines.
– for distributed denial of service.
– as proxies for SPAM.
– often controlled via Internet Relay
Chat servers
73
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Quick Quiz
• What are lock controls?
• What are database management
systems used for?
• What is the difference between a
Hierarchical DBMS and a Network
DBMS?
• What are some of the significant threats
to the applications environment?
74
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Section Summary
• Lock controls are used to control read and write access
to specific rows of data in relational systems, or objects
in object-oriented systems.
• Database management systems are used to manage
large, structured sets of data, provide access to multiple
users, and enforce integrity of data.
• A Hierarchical DBMS captures records in a single table
and is limited to a single tree where a Network DBMS
represents data as a network of records and sets that
are related to each other, forming a network of links.
• Application environment threats include malicious
software, trap doors and back doors, object reuse, etc.
75
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Applications Environment
Database and Data Warehouse Environment
Environment Threats
System Life Cycle
Software Development Methods
Programming Languages
Object Oriented Technology
Software Protection Mechanisms
Web Application Environment
Assurance Mechanisms
76
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Section Objectives
• List the types of software
development methods
• Define programming language
• Describe software protection
mechanisms
• Describe the system development life
cycle
77
• List information security activities
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
System Life Cycle
• Project management-based methodology
used to plan, execute, and control
software development and maintenance
• Provides a framework for the phases of
software development projects and
includes disposal stage
• Involves teams of developers, analysts,
owners, users, technical experts, and
security experts
78
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
System Life Cycle
Typical Phases of a System Life Cycle
Start-up
Acquisition
&
Development
Implementation
Operations
Decommissioning
&
Maintenance
79
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Systems Development Life
Cycle Framework
Initiation/
Requirements
Functional
Design
Detailed
Design
Development/
Construction
Testing
Production
Maintenance
Define
Design
Develop
Deliver
80
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Project Initiation and Planning
81
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Functional Design Definition
82
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Detailed Design Specifications
83
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Develop and Document
84
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Acceptance, Testing and Transition
to Production
85
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Decommissioning / Disposal
• When an asset is being taken out of
production and is decommissioned or
retired, the asset owner shall ensure
the following stages are adhered to:
– Information Recovery Protection
Requirements
– Media Sanitization
– Hardware and Software Disposal
86
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Applications Environment
Database and Data Warehouse Environment
Environment Threats
System Life Cycle
Software Development Methods
Programming Languages
Object Oriented Technology
Software Protection Mechanisms
Web Application Environment
Assurance Mechanisms
87
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Software Development Methods
• Waterfall – Each phase at a time
– Easy updates but does not scale to large, complex projects
• Spiral – Combination of Waterfall and Prototype
– Risk assessment at each phase, with Go/No Go decision
• Iterative Development – multiple waterfall approach
– Successive refinements in requirements and design
• Joint Analysis Development – Users & Developers
– Focus on team of experts; used for mainframe systems development
• Prototyping – build simple version first, then refine
– 4 steps: concept, design/build, refine, complete and release
• Rapid Application Development (RAD) – rapid prototype
– Strict time limits imposed to allow quick development
88
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Software Development
Methods (cont.)
• Modified Prototype Model (MPM) – dynamic model which
changes over time as organization needs change
• Exploratory Model – research used to enhance existing model
• Reuse Model – Object oriented
• Cleanroom – Zero Defect approach
• Computer Aided Software Engineering (CASE) – For
large, complex projects
• Component Based Development – Standardized building
block approach
• Structured Programming Development – Modular
development, high quality
• Extreme Programming – 80% function in 20% of the time
allotted using small teams to keep it simple
89
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Applications Environment
Database and Data Warehouse Environment
Environment Threats
System Life Cycle
Software Development Methods
Programming Languages
Object Oriented Technology
Software Protection Mechanisms
Web Application Environment
Assurance Mechanisms
90
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Programming Languages
• A language is a set of rules that tell the computer
what operations to perform.
• Languages have evolved in “generations.”
– Generation One - Machine language
– Generation Two - Assembly language
– Generation Three - High-level language
– Generation Four - Very high-level language
– Generation Five - Natural language
91
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Programming Languages
• Examples of languages include :
– Active X
– COBOL, PL/I
– C, C-Plus, C++
– HTML
– Java
– Visual Programming Languages
• Visual Basic, Visual C, Delphi
92
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Assemblers, Compilers, and
Interpreters
• Assembler - program that translates an
assembly language program into machine
language
• Compiler - translates a high-level language
into machine language
• Interpreter - instead of compiling a program
at once, the interpreter translates it
instruction-by-instruction. It has a fetch and
execute cycle.
93
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Quick Quiz
• What is a programming language?
• What is a system development life
cycle?
• At what point in the system’s
development life cycle should security
be addressed?
94
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Section Summary
• A programming language is a set of rules that tell
the computer what operations to perform.
• A system development life cycle is a project
management-based methodology used to plan,
execute, and control software development.
• Security requirements should be addressed
within every phase of the systems development
life cycle.
95
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Applications Environment
Database and Data Warehouse Environment
Environment Threats
System Life Cycle
Software Development Methods
Programming Languages
Object Oriented Technology
Software Protection Mechanisms
Web Application Environment
Assurance Mechanisms
96
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Section Objectives
• Describe Object Oriented Technology
• List some of the software protection
mechanisms that can be used to
protect the applications environment
• Describe key web application security
principles
• Describe and understand change
management principles
97
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Object-Oriented Programming
• Programming method that creates an
“object.”
– The object is a block of pre-assembled code
that is a self-contained module.
– Once written, objects can be reused.
– Objects are encapsulated, thus providing some
security.
– Objects have methods (code with programming
interfaces) and attributes (data) encapsulated
together.
98
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Distributed Object Oriented
Systems
• Three main items:
– Classes - tell the system how to make
objects
– Objects - an instance of the class
– Message - objects perform work by
sending messages to other objects
99
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Object-Oriented Considerations
• Inheritance
– An object derives data and functionality from
another object
• Polymorphism
– Different objects respond to the same
command in different ways
100
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Object-Oriented Considerations
• Polyinstantiation
– Creating a new version of an object by
replacing variables with other values (or
variables)
– Also used to prevent inference attacks against
databases because it allows different versions
of the same information to exist at different
classification levels.
101
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Distributed Component Object
Model (DCOM)
• Based on the growth of distributed computing.
• Allows applications to be divided into pieces called
components and each component can exist in a
different location.
• The software components can interact with each
other as an integrated Web application. It uses
ActiveX technology to control how software
components can communicate.
102
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Common Object Request Broker
Architecture (CORBA)
• A set of standards that address the need
for interoperability between hardware and
software.
– Allows applications to communicate with one
another regardless of their location.
– The Object Request Broker (ORB) establishes
a client/server relationship between objects.
– The ORB enforces the system’s security
policy.
103
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
CORBA
• Client sends a message to another object.
• The message is sent through the ORB security
system.
104
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Applications Environment
Database and Data Warehouse Environment
Environment Threats
System Life Cycle
Software Development Methods
Programming Languages
Object Oriented Technology
Software Protection Mechanisms
Web Application Environment
Assurance Mechanisms
105
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Software Protection Mechanisms
Subtopics
• Cryptography
• Access Controls
• Social Engineering
Awareness
• Backup and
Redundancy
Controls
• Malicious Code Control
• Documentation and
Common Program
• Testing and Evaluation
• Mobile Code Controls
• Data Contamination
Controls
106
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Cryptography
• Protects information by transforming it
using encryption schemes.
– Protects the confidentiality of data.
– Can be used to detect unauthorized
modification of data/programs.
– Specific files within operating systems
are encrypted to provide security
protection.
107
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Access Controls
• Physical
• Logical
– Isolate production
and programming
environments
– Separate data for
each environment
•
– Content Dependent
– Rules/Roles Based
– Access control lists
and permissions
• Read/write/execute
control
Administrative
– Change management – Capabilities and
tokens
– User registration
– User Authentication
108
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Backup and Redundancy Controls
• Providing backups of operating
system and application software
ensures programs are available in the
event of an outage or system crash.
• Disk mirroring, Redundant Array of
Independent Disks (RAID), etc.
• Purchased source code kept in
escrow.
109
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Protection from Malicious Code
Subtopics
• Known signature scanning
• Activity monitoring
• Change detection
110
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Known Signature Scanning
• Signatures of known objects (viruses,
other types).
• Program code, packets, ports, memory
• Update signatures – possibly daily.
• Subject to false negatives / false
acceptance errors.
111
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Activity Monitoring
• Auditing
– Monitoring processing, disk activity,
communications traffic.
– Heuristic scanning – watch for small but
suspicious code strings.
• i.e.: Code that may request privileged
access.
112
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Change Detection
Detection:
– Changes to program files, processes.
– Addition of new executable files.
– Often incorrectly referred to as integrity
checking.
• May be misleading – the integrity of the
system may have been compromised before
establishment of initial baseline.
113
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Documentation and Common
Program Controls
• Protect operating system and application
software.
• Protect job and system documentation.
• Protect logs.
• Have a program library to control and
record changes.
114
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Input Data Contamination Controls
•
•
•
•
•
•
•
•
Transaction counts
Dollar counts
Hash totals
Error detection
Error correction
Resubmission controls
Self-checking digits
Control totals
115
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Output Data Controls
• Verify validity of transactions through:
– Reconciliation
– Physical-handling procedures
– Authorization controls
– Verification with expected results
– Audit trails
– Error report handling and analysis
116
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Executable Code/Mobile Code
Controls
• Limit the program to required
resources only.
–i.e. use a sandbox environment
• Examine and limit downloading of
mobile code at firewall.
• Use cryptographic authentication to
show the user who is responsible for
the code.
117
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Testing and Evaluation
• Test data should include data at the ends
of the acceptable data ranges, various
points in between, and data beyond the
expected and allowed data points.
– Test known and possible user entry activities.
– Perform ‘bounds’ and valid data checking,
such as field size, time, date, etc.
118
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Testing and Evaluation (cont.)
• Validate data both before and after
job runs.
• Sanitize test data to ensure sensitive
production data is not exposed
through test process.
119
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Applications Environment
Database and Data Warehouse Environment
Environment Threats
System Life Cycle
Software Development Methods
Programming Languages
Object Oriented Technology
Software Protection Mechanisms
Web Application Environment
Assurance Mechanisms
120
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Web Site Incidents - Examples
•
•
•
•
•
•
Vandalism
Financial fraud
Privileged access
Theft of transaction information
Theft of intellectual property
Denial of Service (DoS)
121
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Web Application Environment
• Majority of the hacks being performed
today are at the application level.
– Easiest way to compromise hosts,
networks.
– Widely accessible.
– Logs are often non-existent.
– Minimal intrusion detection.
• Most traditional firewalls provide
minimal protection.
122
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Securing Web Servers
Traditional Architecture
123
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Web Application Security
Why A Firewall Doesn’t Help
80/443
111
22
23
161
257
992
Firewall
Web Server
Database Server
124
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Securing Web Servers
Best practices
• Institute a DMZ Quality Assurance signoff process for
web servers
– Hardening of operating system
– Hardening of web server
– Execution of a web and network scan before deployment
•
•
•
•
•
Consider the use of passive assessment IDS technology
Consider the use of Web application firewalls
Consider the use of advanced IPS systems
Implement syn proxies on the firewall
Disable unnecessary documentation and libraries
125
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Securing Web Servers
Web Application Firewall Architecture
126
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Web Application Security
Subtopics
•
•
•
•
•
•
•
Information Gathering
Administrative Interfaces
Authentication and Access Control
Configuration Management
Input Validation
Parameter Manipulation
Session Management
127
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Information Gathering
• Problem:
– Information may be gathered through:
•
•
•
•
•
•
Browser cache and history
HTML comments
Error pages returned by server
Old, backup and unreferenced files
Database usernames and passwords in ASP files
Un-parsed include (INC) files
• Solution:
– Be aware of the information and limit its
availability
128
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Administrative Interfaces
• Problem:
– Most commercial software and web application servers
install administrative features by default
– Many in-house applications contain a web
administration page
• Solution:
– Ensure these interfaces are removed or secured
appropriately
– Only allow access from authorized hosts or networks
– Do not hard code authentication credentials
– Ensure at least as secure as the rest of the application
129
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Authentication & Access Control
• Problem:
– Authentication process may be vulnerable to
brute force attacks
– Denial of service possible by mass account
lockout
– Authentication process may be vulnerable to
password sniffing
• Solution:
– Account lockout & logging procedures
– Ensure all authentication traffic is encrypted
130
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Configuration Management
• Problem:
– Most software is delivered with insecure
configurations
• Default accounts
• Solution:
– Remove default configurations
– Configure permissions on web server
correctly (read/write access)
– Up-to-date vendor patches
131
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Input Validation
• Problem:
–
–
–
–
–
–
–
–
Buffer overflows
Client-side validation
Cross-site scripting
Direct OS commands
Direct SQL commands
Path traversal
Unicode encoding
URL encoding
• Solution:
– Adequate data
validation
132
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Parameter Manipulation
• Problem:
– Cookie manipulation
– Form field manipulation
– Hidden fields
– URL manipulation
• Solution:
– Adequate data validation
133
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Session Management
• Problem:
– Information sent in clear text
– Sessions vulnerable to replay/hijacking
• Solution:
– Always encrypt the cookie
– Build time validation into the session ID
– Do not use sequential (predictable) session
Ids
– Use random, unique session Ids
134
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Web Application Security
Principles
•
•
•
•
Validate all input and output.
Fail secure (closed).
Make it simple.
Design secure networks.
– Defense in depth.
– Only as secure as your weakest link.
– Security by obscurity doesn’t work.
135
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Other Considerations
• Do not cache secure pages.
• Ensure all encryption used meets industry
standards.
• Monitor third party code vendors for
security alerts.
• Log all critical transactions and
milestones.
136
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Other Considerations (cont.)
• Handle exceptions properly.
• Do not trust any data from the client.
– Trusting client-side data is number
one source of application vulnerability.
• Do not trust data from other servers,
partners, or other parts of the
application.
137
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Subtopics
•
•
•
•
•
•
•
•
•
•
Applications Environment
Database and Data Warehouse Environment
Environment Threats
System Life Cycle
Software Development Methods
Programming Languages
Object Oriented Technology
Software Protection Mechanisms
Web Application Environment
Assurance Mechanisms
138
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Information Auditing
• Log and Audit any action that could
affect the release of sensitive
information.
– Level and type of auditing is dependant
on the features of the installed software
and the sensitivity of the data.
– Provides information on what types of
activities have occurred and who or what
processes took the action.
139
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Change Management Process
Overall Steps
140
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Change Management
Key Points
• Rigorous process that addresses
quality assurance.
• Changes must be submitted,
approved, tested and recorded.
• Should have a back out plan in case
change is not successful.
141
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Patch Management
Problem:
Solution:
Software Bugs
and Insecurities
Security Patch
Management
Process
142
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Patch Management
Overview
• Application of service packs is an important
step in security configuration
• Service packs to the operating systems may
contain processing and security
enhancements
• If the version of the operation system is not
current and/or latest service packs are not
applied, unauthorized users may be able to
exploit weaknesses in the operating system
that may not exist after the service pack 143
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Patch Management
Process
1. Infrastructure
–develop a patch strategy
–team responsible for patch management process
2. Research
–vendor websites who must be authenticated
–must account for various systems/applications
3. Assess and Test
–change management process
–test then deploy to production
–test environment should mirror the production
environment
© Copyright 2005 (ISC)2® All Rights Reserved.
144
Application Security v5.0
Patch Management
Process
4. Mitigation (“Rollback”)
– Mitigation process should be developed
5. Deployment (“Rollout”)
–
–
–
–
Patch less sensitive systems first
Automated processes
Process management team should be present for support
Schedule of patching times
6. Validation, Reporting, and Logging
– Auditing
– Scanning
– Post SPMP Review
145
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Patch Management
Limitations
• Distribution System Failures
– Example: Corruption, DoS, and Information Leakage
• Patch Failures
– Example: DoS and Content Corruption
• Time-Related Issues
– Example: Bandwidth: prioritization, scalability
•
•
•
•
Inadequate Testing & Validation
Patch Rollback
Load on the network
Stability issues and other regression issues
146
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Patch Management
Best Practices
•
•
•
•
•
•
Determining the “right” solution
Vendor Change Control process
Open source patches
Backup
Regression Testing
Evaluation process for new patches and
updates
• Speed and scope of patches
• Maintaining a comprehensive inventory
© Copyright 2005 (ISC)2® All Rights Reserved.
147
Application Security v5.0
Patch Management
Alternatives
Should be used in conjunction with Patches:
• Wrappers
• Hardening
• Integrity Controls
• Configuration Management
• Intrusion Detection and Response
• Firewalls
148
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Certification and Accreditation
• Certification and Accreditation is a set of
procedures and judgments that assess the
suitability of a system to operate in a target
operational environment
• Ideally an ongoing set of processes
• Should be revisited whenever a major change
occurs
– New connection
– Addition of a major application
– Significant technology upgrade, etc.
149
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Security Certification
• Comprehensive (technical)
analysis of the security features
and safeguards of a system to
establish the extent to which the
security requirements are
satisfied.
150
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Security Certification (cont.)
• Security certification considers the
system in its operational environment
– Security mode of operations
– Specific users (and their training)
– Applications and data sensitivity
– System and facility configuration and
location
– Interconnections with other systems
151
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Accreditation
Accreditation is the official management
decision to operate a system
– Particular security mode
– Prescribed set of countermeasures
– Defined threat; stated vulnerabilities
– Given operational concept & environment
– Stated interconnections to other systems
– Risk formally accepted
– Stated period of time
152
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Quick Quiz
• What are examples of software
protection mechanism that can be
used?
• What are some of the ways to protect
web application environments?
• What is change management?
• What is certification and accreditation?
153
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
Section Summary
• Examples of software protection mechanisms include
cryptography, access controls, social engineering awareness,
backup and recovery controls, malicious software controls, data
contamination controls.
• Some of the ways to protect the web application environment
include validating all input, secure all administrative interfaces,
ensure adequate authentication and access controls, etc.
• Change management is a rigorous process that ensures quality
assurance of changes.
• Certification is a comprehensive analysis of the features of a
system to make sure it addresses the security problem that you
may have, and accreditation is the official management decision
to actually operate a system.
154
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0
155
© Copyright 2005 (ISC)2® All Rights Reserved.
Application Security v5.0