Application and System Development

1
Application and System Development

2
Introduction

• Topic Application and System Development
• General security principles
• The Problem
• The Controls

3
General Security Principles

• Accountability
• Authorization
• Logging
• Separation of duties
• Least privilege
• Risk reduction
• Layered defense

4
The Initial Problem

• Access to Information in a Database
• Release of information
• Modification of information
• Denial of service
• Relational vs Object Oriented

5
Relational Database

• Tables
• Relation (Table or set of columns in table)
• With Attributes (Columns)
• Having Permissible values
• Specific Attribute is Key with unique values
• Occurring in Instances (Rows)
• Tuple of a Relation Instance
• Views
• With selected Attributes
• Linked by Key attributes

6
Relational Database Controls

• Grant/Revoke Privileges by Table, Column, Key set
• Permissions by View combining specific Tables,
  Columns, Key sets
• Conceptually dividing the database into pieces to
  allow sensitive data to be hidden from
  unauthorized users
• Authorizations for specific views having specific
  attributes, and for actions to perform within
  those views
• DAC, by specific grant to user or group by owner
• MAC, by classification level

7
Object-Oriented Database

• Subjects
• Objects
• Methods of accessing them
• Controls using Encapsulation, Inheritance,
  Information hiding

8
Object-Oriented Issues

• Controls
• Polyinstantiation
• Producing a more defined version of an object by
  iteratively replacing variables with other
  variables or values
• Information located in more than one location for
  use by more than one user, usually having
  different security levels
• Requires sensitive information to be removed when
  stored at lower levels
• Insuring integrity with multiple updates going on
  is difficult
• Polymorphism
• Different objects responding to a common command
  in different ways
• - Encapsulation, Inheritance,
  Information hiding

9
Programming/Data Attacks

• Salami attack
• Data diddling
• Fraud
• Logic bomb
• Mistakes
• Boundary errors
• Validation errors
• Time of Check/Time of Use (serialization) errors
• Covert channels

10
Applications Beyond the Database

• Centralized systems
• Biggest issue still mistakes, omissions
• Protection by operating system/platform
• Physical data base integrity
• Logical data base integrity
• Element integrity

11
Applications Beyond the Database

• Distributed systems
• More normal now
• Decentralized - connected or unconnected but
  related platforms running independent copies of
  software with independent copies of data

12
Applications Beyond the Database

• Distributed systems
• Decentralized - connected or unconnected but
  related platforms running independent copies of
  software with independent copies of data
• Dispersed - interconnected and related
  platforms running the same software and using the
  same data, one of which (data or software) is
  centralized
• Accommodates change
• Deploys resources
• Improves performance
• Lower risk of system failure due to hardware
  malfunction

13
Applications Beyond the Database

• Distributed systems
• Decentralized - connected or unconnected but
  related platforms running independent copies of
  software with independent copies of data
• Dispersed - interconnected and related
  platforms running the same software and using the
  same data, one of which (data or software) is
  centralized
• Interoperable or Cooperative - interconnected
  platforms running independent copies of software
  with independent copies of data
• Combines processing from dissimilar platforms
• Independently execute/test each component

14
Definitions

• Loose coupling
• less dependencies between modules
• High cohesion
• modules perform discrete functions
• Agent
• Client/server local link to other areas of
  system, performs information preparation
  exchange for client or server

15
Potential Vulnerabilities

• Data problems
• Aggregation - building new objects from existing
  objects
• Inference deriving information not explicit
• Object reuse/garbage collection - reclaiming
  information from dynamic storage
• Data contamination

16
Potential Vulnerabilities

• Malicious Code
• Trojan horse - program with hidden and
  undesirable functions
• Virus - malicious, usually destructive, code that
  infects other programs to propagate itself
• Logic bomb - hidden code designed to perform
  undesirable activities upon receiving or
  observing a specific condition
• Letter bomb - email attachment with malicious
  code
• Worm - a program that uses communications methods
  to propagate itself between systems
• Applet - platform-independent download-and-run
  mini-program used in Java programming

17
Potential Vulnerabilities

• Access problems
• Trap door - secret way in
• Back door - unapproved method of accessing the
  system
• Covert channel - Unapproved communications link
  between application and another
• Covert storage channel - Writing to storage
  through one process, and reading by another
  (lower security level)
• Covert timing channel - Processes signal to one
  another by modulating system use
• Physical access to the area

18
Vulnerabilities Summary

• Spoofing/Eavesdropping
• Unable to identify/track access/updates
• Theft of information or hard assets
• Improper access to information
• Improper update of information
• Improper destruction of information
• Lack of or inadequate data validation
• Data overwrites
• Incorrect internal processing
• Direct data access

19
Definitions

• Data mining
• Analyzing databases for trends/anomalies using
  automated tools without knowledge of data
• Knowledge-base system
• System to query a collection of knowledge
  expressed using a formal knowledge representation
  language
• Artificial Neural Network
• able to learn from example and to generalize

20
Controls - Personnel Issues

• Accountability and Risk Reduction
• Background checks of all personnel
• Separation of Duties
• Separate responsibilities for application
  development, approval, implementation, support

21
Application System Development

• Implement a Systems Development Life Cycle
• Quality Assurance program
• Involve QA/QC, Audit, Information Security
• Enforce review and approval of all applications

22
Application System Development

• Systems Development Life Cycle
• Applies to new development AND system maintenance

23
Application System Development

• Systems Development Life Cycle
• Applies to new development AND system maintenance
• Include infosec reviews at each milepost of cycle
• Verify that security requirements have been met
• Perform review of design and code

24
Application System Development

• Systems Development Life Cycle
• Applies to new development AND system maintenance
• Include infosec reviews at each milepost of cycle
• Project Initiation
• Involve information security in initial
  discussion of project
• Perform Risk Assessment to
• Define sensitivity of information
• Define criticality of system
• Define security risks
• Define level of protection needed
• Ensure regulatory/legal/privacy issues are
  addressed
• Ensure requirements can be met by application

25
Application System Development

• Systems Development Life Cycle
• Applies to new development AND system maintenance
• Include infosec reviews at each milepost of cycle
• Project Initiation
• Project Definition (Design Analysis)
• Functional/system design requirements
• Determine acceptable level of risk
• Level of loss
• Percentage of loss
• Permissible variance
• Identify security requirements and controls
• Determine exposure points in process
• Define controls to mitigate exposure
• Ensure requirements can be met by application

26
Application System Development

• Systems Development Life Cycle
• Applies to new development AND system maintenance
• Include infosec reviews at each milepost of cycle
• Project Initiation
• Project Definition (Design Analysis)
• System Design (Design Specification)
• Detailed planning of functional components
• Design program controls
• Design security mechanisms
• Design test plan
• Design verification
• Mathematical verification of model and design
  correspondence

27
Application System Development

• Systems Development Life Cycle
• Applies to new development AND system maintenance
• Include infosec reviews at each milepost of cycle
• Project Initiation
• Project Definition (Design Analysis)
• System Design (Design Specification)
• Programming/Training (Software Development)
• Development personnel should be authorized to
  work on system
• Document security
• Training of support personnel and users

28
Application System Development

• Systems Development Life Cycle
• Applies to new development AND system maintenance
• Include infosec reviews at each milepost of cycle
• Project Initiation
• Project Definition (Design Analysis)
• System Design (Design Specification)
• Programming and Training (Software Development)
• Installation, Evaluation and Testing
• Development staff should not conduct
  evaluation/testing
• Certification of security functionality
• Certification of processing integrity
• Desk check, operational test

29
Definitions

• Acceptance
• Verification that performance and security
  requirements have been met
• Accreditation
• Formal acceptance of security adequacy,
  authorization for operation and acceptance of
  existing risk (QC)
• Certification
• Formal testing of security safeguards
• Operational assurance
• Verification that a system is operating according
  to its security requirements
• Assurance
• Degree of confidence that the implemented
  security measures work as intended

30
Application System Development

• Systems Development Life Cycle
• Applies to new development AND system maintenance
• Include infosec reviews at each milepost of cycle
• Project Initiation
• Project Definition (Design Analysis)
• System Design (Design Specification)
• Programming and Training (Software Development)
• Installation, Evaluation and Testing
• Destruction

31
The Real World

• Systems Development Life Cycle
• Organizations understaffed, wear too many hats
• Separation of duties seldom complete
• Infosec seldom involved in initial stages of
  development
• Risks seldom adequately assessed
• Exposure points and controls seldom adequately
  determined
• Code checks are often skimped
• Approvals are often perfunctory
• Development process continues without formal
  approval
• Few limits on access to program code
• Change control for programs only

32
Operational Issues

• Implementation and Operation
• Code issues - Change Control
• Data issues
• Access
• Integrity
• Personnel issues

33
Controls

• Implementation and Operation
• Authorization -
• All support personnel should be authorized

34
Controls

• Implementation and Operation
• Risk Reduction -
• All code should be reviewed prior to
  implementation - Change Management

35
Controls

• Implementation and Operation
• Separation of Duties -
• Development staff should not review, implement
  systems
• Development staff should not support
  production data
• Development staff should not manage security
  function

36
Controls

• Accountability -
• No access should be permitted directly to
  database
• Production data should be managed by users, not
  support staff
• All access to production data should be logged

37
Controls

• Implementation and Operation
• All support personnel should be authorized
• All code should be reviewed prior to
  implementation
• Development staff should not review, implement
  systems
• Development staff should not support production
  data
• Development staff should not manage security
  function
• No access should be permitted directly to
  database
• Production data should be managed by users, not
  support staff
• All access to production data should be logged
• Least Privilege
• Access control
• Access should be given to necessary data fields
  only
• Layered Defense
• Access controls should be used in addition to
  system access

38
The Real World

• Implementation and Operation
• Organizations understaffed, wear too many hats
• Separation of duties seldom complete
• Development staff often support production
  systems
• IT staff often maintain production data
• Access is often granted on basis of least effort

39
Definitions

• Loose coupling
• weak dependencies between modules
• High cohesion
• modules perform discrete functions
• Due Care
• minimum and customary practice of responsible
  protection of assets that reflects a community or
  societal norm
• Due Diligence
• prudent management and execution of due care

40
Final Considerations

• What does the development life cycle and change
  control implementation cover?
• Applications programs?
• Supporting libraries?
• Operating systems?
• Proportionality

Files graciously shared by Ben Rothke. Reformatted
and edited for Slide presentation