CISSP Guide to Security Essentials, Ch4 - PowerPoint PPT Presentation

1 / 67
About This Presentation
Title:

CISSP Guide to Security Essentials, Ch4

Description:

Application Security CISSP Guide to Security Essentials Chapter 3 CISSP Guide to Security Essentials * Summary (cont.) Software development life cycle (SDLC) steps ... – PowerPoint PPT presentation

Number of Views:277
Avg rating:3.0/5.0
Slides: 68
Provided by: PeterGre3
Category:

less

Transcript and Presenter's Notes

Title: CISSP Guide to Security Essentials, Ch4


1
Application Security
CISSP Guide to Security Essentials Chapter 3
2
Objectives
  • Types of applications
  • Application models and technologies
  • Application threats and countermeasures
  • Security in the software development life cycle

3
Objectives (cont.)
  • Application security controls
  • Databases and data warehouses

4
Types of Applications
  • Agents
  • Standalone programs that are part of a larger
    application
  • Examples
  • Anti-virus
  • Patch management
  • Configuration management

5
Types of Applications (cont.)
  • Applets
  • Software programs that run within the context of
    another program
  • Example media players within browser

6
Types of Applications (cont.)
  • Client-server
  • Separate programs on clients and servers
    communicate via networks and work together
  • Few developed now but many are in use

7
Types of Applications (cont.)
  • Distributed
  • Software components run on several systems
  • Two-tier, three-tier, multi-tier
  • Reasons scalability, performance, geographical

8
Types of Applications (cont.)
  • Web
  • Web browser as client, application server
    back-end
  • Client software nearly universal
  • Application software centralized

9
Application Models and Technologies
  • Control flow languages
  • Structured languages
  • Object oriented languages
  • Knowledge based languages

10
Control Flow Languages
  • Linear, sequential
  • Use of if then else
  • Branching with go to
  • Examples
  • BASIC, COBOL, Cold Fusion, FORTRAN, Perl, PHP,
    Python, VBScript

11
Structured Languages
  • Nested, heavy use of subroutines and functions
  • Little or no go to
  • Examples
  • C
  • Pascal

12
Object Oriented Languages
  • Utilize concepts of object programming
  • Classes, objects, instances, and inheritance
  • Methods, instantiations
  • Encapsulation, abstraction, polymorphism
  • Examples
  • C, Java, Ruby, Simula, Smalltalk

13
Knowledge Based Applications
  • Neural networks
  • Modeled after biological reasoning processes
  • Artificial neurons that store pieces of
    information
  • Given cases about situations and outcomes, can
    predict future outcomes

14
Knowledge Based Applications (cont.)
  • Expert systems
  • Inference engine and knowledge base of past
    situations and outcomes

15
Threats to Applications
  • Reasons for attacks
  • Industrial espionage
  • Vandalism and disruption
  • Denial of service
  • Political / religious

16
Threats to Applications (cont.)
  • Buffer overflow attacks
  • Disrupt a software application by providing more
    data to the application than it was designed to
    handle

17
Threats to Applications (cont.)
  • Buffer overflow attacks (cont.)
  • Types
  • Stack buffer overflow
  • NOP sled attack
  • Heap overflow
  • Jump to register attack

18
In Java
  • Instance variables and Objects lie on Heap.
  • Local variables and methods lie on the Stack. So
    if we have a main method which calls the go()
    method which calls the gone() method then the
    stack from top to bottom would consist of

19
  • gone()
  • go()
  • main()

20
(No Transcript)
21
Threats to Applications (cont.)
  • Examples Morris worm, ping of death, code red
    worm
  • Buffer overflow attack countermeasures
  • Use safe languages and libraries
  • Executable space protection
  • Stack smashing protection
  • Application firewalls

22
Threats to Applications (cont.)
  • Covert channel
  • Unintended and hidden channel of communications
  • Types
  • Covert storage channel read a storage location
    and learn about the application or other data

23
Threats to Applications (cont.)
  • Covert channel types (cont.)
  • Timing channel observe timings in an
    application to determine what is happening in
    the application
  • Countermeasures
  • Careful software analysis, good software
    engineering
  • Newer versions of firewall

24
Threats to Applications (cont.)
  • Side channel attack
  • An attack on a cryptosystem based upon physical
    information gained from the system
  • Examples timing, power consumption, emanations,
    and even sounds

25
Threats to Applications (cont.)
  • Countermeasures
  • Limit release of information through shielding
    and other means

26
Threats to Applications (cont.)
  • Malicious software
  • Types viruses, worms, Trojan horses, rootkits,
    bots, spam, pharming, spyware, key loggers
  • Purpose
  • Steal, corrupt, or destroy information
  • Remote control
  • Denial of service

27
Threats to Applications (cont.)
  • Types of malware
  • Virus human assisted replication, embed in
    programs, files, master boot records
  • Worm self replicating, scan for victims, rapid
    spread
  • Trojan horse claims one function, but is malware

28
Threats to Applications (cont.)
  • Types of malware (cont.)
  • Rootkit hide within or beneath the operating
    system
  • Bot remote control zombie
  • Spam unsolicited e-mail

29
Threats to Applications (cont.)
  • Types of malware (cont.)
  • Pharming attack on DNS to redirect traffic to
    decoy application
  • Spyware collect information about usage,
    forward to central server
  • Key logger logs keystrokes and mouse movements,
    forwards to central server

30
Threats to Applications (cont.)
  • Malware countermeasures
  • Anti-malware
  • Patches
  • Firewalls and application firewalls
  • Hardened systems

31
Threats to Applications (cont.)
  • Malware countermeasures (cont.)
  • Intrusion detection systems
  • Decreased privilege levels
  • Penetration testing

32
Threats to Applications (cont.)
  • Input attacks
  • Buffer overflow
  • Script injection
  • Cross site scripting
  • Cross site request forgery

33
Threats to Applications (cont.)
  • Countermeasures
  • Input field filtering, application firewall,
    application vulnerability scanning, software
    developer training

34
Threats to Applications (cont.)
  • Object reuse
  • Use of a resource belonging to another process,
    including
  • Memory, databases, file systems, temporary
    files, and paging space

35
Threats to Applications (cont.)
  • Object reuse countermeasures
  • Application isolation
  • Server virtualization
  • Developer training

36
Threats to Applications (cont.)
  • Mobile code
  • Executable code, active content, downloadable
    content
  • Examples active website content, downloaded
    programs
  • Some is desired, but some is malicious in nature

37
Threats to Applications (cont.)
  • Mobile code countermeasures
  • Anti-malware, mobile code access controls
  • Reduced user privileges

38
Threats to Applications (cont.)
  • Social engineering
  • Attack on personnel to gain secrets
  • People are vulnerable because they want to help
  • Social engineering countermeasures
  • Security awareness training that includes
    accountability

39
Threats to Applications (cont.)
  • Time of check / time of use (TOCTOU)
  • Also known as a race condition
  • Defect in resource allocation and management
    controls
  • Possible exploitation to cause harm or steal data

40
Threats to Applications (cont.)
  • TOCTOU countermeasures
  • Reviews of resource allocation controls
  • Improve privacy of communications

41
Threats to Applications (cont.)
  • Back door / maintenance hook
  • Access holes deliberately planted by a developer
  • To facilitate easier testing during development
  • To facilitate production access
  • To facilitate a break-in

42
Threats to Applications (cont.)
  • Back door countermeasures
  • Code reviews
  • Source code control

43
Threats to Applications (cont.)
  • Logic bombs
  • Deliberate malfunction that causes harm
  • Time bombs
  • Malfunction on a given date and time
  • Event bombs
  • Malfunction on a specific event

44
Threats to Applications (cont.)
  • Logic bomb countermeasures
  • Software source code review, external audits

45
Security in the Software Development Life Cycle
(SDLC)
  • SDLC
  • The entire collection of processes used to
    design, develop, test, implement, and maintain
    software

46
Security in the Software Development Life Cycle
(cont.)
  • Security must be included in each step of the
    SDLC
  • Conceptual
  • Requirements and specifications development
  • Application design, coding, and testing

47
Security in the Software Development Life Cycle
(cont.)
  • Security in the conceptual stage
  • Presence of sensitive information must be
    identified
  • Access controls (users, administrators, third
    parties)
  • Regulatory conditions
  • Security dependencies

48
Security in the Software Development Life Cycle
(cont.)
  • Security application requirements and
    specifications
  • Functional requirements
  • Standards
  • Security requirements
  • Roles, access controls, audit logging,
    configuration management

49
Security in the Software Development Life Cycle
(cont.)
  • Requirements and specifications (cont.)
  • Regulatory requirements
  • Test plan a byproduct of requirements

50
Security in the Software Development Life Cycle
(cont.)
  • Security in application design
  • Adhere to all requirements and specifications
  • Published design documents
  • Design reviews
  • Reviewed by all stakeholders including security

51
Security in the Software Development Life Cycle
(cont.)
  • Threat risk modeling
  • Identify threats and risks prior to development
  • Tool Microsoft Threat Analysis and Risk
  • Possible changes to specs, reqs, or design

52
Security in the Software Development Life Cycle
(cont.)
  • Security in application coding
  • Develop safe code
  • Free of common vulnerabilities particularly web
    apps
  • Unvalidated input / broken access control
  • Broken authontication/ scripting attack
  • Buffer overflow / insecure storage
  • Use safe libraries that include safe functions
    for input validation

53
Security in the Software Development Life Cycle
(cont.)
  • Security in testing
  • Testing should verify correct coding of every
    requirement and specification
  • Tools WebInspect, AppScan

54
Security in the Software Development Life Cycle
(cont.)
  • Protect the SDLC itself
  • Source code access control
  • Protect source code
  • Protect development tools / libraries
  • Record version changes
  • Protection of software development and testing
    tools
  • Protect from unauthorized modifications

55
Security in the Software Development Life Cycle
(cont.)
  • Protect SDLC (cont.)
  • Protection of software development systems
  • Prevent introduction of malware, back doors,
    logic bombs

56
Application Environment and Security Controls
  • Controls that must be present in a developed
    application
  • Authentication
  • Limiting access to only legitimate, approved
    users
  • Own authentication / enterprise wide LDAP, Active
    Dir
  • Authorization
  • Limiting access only to approved functions and
    data
  • Thousands of functions / thousands of users

57
Application Environment and Security Controls
(cont.)
  • Controls (cont.)
  • Role-based Access Control
  • Based on job description / job code
  • Audit logging
  • Logging of all actions in the application
  • Date/time, user, users location
  • Event name
  • Relevant data
  • Audit log protection

58
Database Architectures
  • Various databases SQL Server, Oracle, DB2,
    Sybase, etc
  • Hierarchical databases tree structure ,
    Internets DNS, legacy
  • Network databases complex tree structure, legacy
  • Object databases OO, methods stored with data

59
Database Architectures (cont.)
  • Distributed databases physically distributed,
    any type
  • Relational databases (RDBMS) in widest use today
  • Structure is defined by schema
  • Data modular tools are used to create schema
  • Oracle, SQL Server, DB2, MySQL, etc.

60
Database Transactions
  • Records retrieval
  • Records update
  • Records creation
  • Nested or complex transactions executed as a unit
  • Begin work lttransactionsgt end work

61
Database Security Controls
  • Access controls
  • Userids, passwords
  • Table / row / field level access control
  • Read-only or read/write

62
Database Security Controls
  • Views
  • Virtual tables that are a subset of individual
    tables, or a join between tables
  • Permission given to views just like real tables

63
Summary
  • Types of applications agents, applets,
    client-server, distributed, web
  • Application language types control flow,
    structured, object oriented, knowledge based

64
Summary (cont.)
  • Reasons for threats to applications industrial
    espionage, vandalism and disruption, denial of
    service, political / religious

65
Summary (cont.)
  • Types of threats
  • buffer overflow, covert channel, side channel,
    malware, input attacks, object reuse, mobile
    code, social engineering, TOCTOU, back door,
    logic bomb

66
Summary (cont.)
  • Software development life cycle (SDLC) steps
  • Conceptual, requirements / specifications,
    design, coding, testing, maintenance
  • Source code control, configuration management
  • Application environment security controls
  • Authentication, access control, audit logging

67
Summary (cont.)
  • Types of databases
  • Hierarchical, network, distributed,
    object-oriented, relational (most common)
  • Database security controls userid, access
    control, audit logging, views
Write a Comment
User Comments (0)
About PowerShow.com