SlideShare ist ein Scribd-Unternehmen logo

8. Software Development Security

Sam Bowne
Sam Bowne

For a Summer 2019 CISSP class. Details at https://samsclass.info/125/125_Sum19.shtml

Bildung
1 von 85
Downloaden Sie, um offline zu lesen
CNIT 125: Information Security Professional (CISSP Preparation) Ch 8. Software Development Security
Programming Concepts
Machine Code, Source Code, and Assembly Language • Machine code • Binary language built into CPU • Source code • Human-readable language like C • Assembly Language • Low-level commands one step above machine language • Commands like ADD, SUB, PUSH
Compilers, Interpreters, and Bytecode • Compilers translate source code into machine code • Interpreters translate each line of code into machine code on the fly while the program runs • Bytecode is an intermediary form between source code and machine code, ready to be executed in a Java Virtual Machine
Procedural and Object-Oriented Languages • Procedural languages use subroutines, procedures and functions • Ex: C, FORTRAN • Object-oriented languages define abstract objects • Have attributes and methods • Can inherit properties from parent objects • Ex: C++, Ruby, Python
Metasploit Source Code • Link Ch 9a
Fourth-Generation Programming Languages (4GL) • Automate creation of code
Computer-Aided Software Engineering (CASE) • Programs assist in creation and maintenance of other programs • Three types • Tools: support one task • Workbenches: Integrate several tools • Environments: Support entire process • 4GL, object-oriented languages, and GUIs are used as components of CASE
Top-Down vs. Bottom-Up Programming • Top-Down • Starts with high-level requirements • Common with procedural languages • Bottom-Up • Starts with low-level technical implementation details • Common with object-oriented languages
Types of Publicly Released Software • Closed Source • Source code is confidential • Open Source • Free Software • May cost $0, or be open to modify • Freeware: costs $0 • Shareware: free trial period • Crippleware: limited free version
Software Licensing • Public domain (free to use) • Proprietary software is copyrighted, and sometimes patented • EULA (End User License Agreement) • Open-source licenses • GNU Public License (GPL) • Berkeley Software Distribution (BSD) • Apache
Application Development Methods
Waterfall Model • From 1969 • One-way • No iteration • Unrealistic
Modified Waterfall Model
Sashimi Model • Steps overlap
Agile Software Development • Agile methods include Scrum and Extreme Programming (XP) • Agile Manifesto
Scrum • Stop running the relay race • Doing only one step and handing off the project • Take up rugby • A team goes the distance as a unit
Extreme Programming (XP) • Pairs of programmers work off a detailed specification • Constant communication with fellow programmers and customers
Spiral • Many rounds • Each round is a project; may use waterfall model • Risk analysis performed for each round
Rapid Application Development (RAD) • Goal: quickly meet business needs • Uses prototypes, "dummy" GUIs, and back-end databases
Prototyping • Breaks projects into smaller tasks • Create multiple mockups (prototypes) • Customer sees realistic-looking results long before the final product is completed
SDLC • Systems Development Life Cycle • or Software Development Life Cycle • Security included in every phase • NIST Special Publication 800-14
SDLC Phases • Initiation • Development / Acquisition • Implementation • Operation • Disposal • Security plan should be first step
SDLC Overview • Prepare security plan • Initiation: define need and purpose • Sensitivity Assessment • Development / Acquisition • Determine security requirements and incorporate them into specifications • Implementation • Install controls, security testing, accreditation
SDLC Overview • Operation / Maintenance • Security operations and administration: backups, training, key management, etc. • Audits and monitoring • Disposal • Archiving • Media sanitization
Integrated Product Teams • A customer-focused group that focuses on the entire lifecycle of a project • More agile than traditional hierarchical teams
Software Escrow • Third party archives source code of proprietary software • Source code is revealed if the product is orphaned
Code Repository Security • Like GitHub • Contents must be protected • Developers shouldn't publish code that contains secrets
Security of Application Programming Interfaces (APIs) • API allows apps to use a service, like Facebook • API exploits abuse the API to compromise security
OWASP Enterprise Security API Toolkits
Software Change and Configuration Management • Ensures that changes occur in an orderly fashion, and don't harm security • NIST SP 80-128 describes a Configuration Management Plan (CMP) • Configuration Control Board (CCB) • Configuration Item Identification • Configuration Change Control • Configuration Monitoring
DevOps • Old system had strict separation of duties between developers, quality assurance, and production • DevOps is more agile, with everyone working together in the entire service lifecycle
Databases
Database • Structured collection of data • Databases allow • Queries (searches) • Insertions • Deletions • Database Management Systems (DBMS) • Controls all access to the database • Enforces database security
Database Concepts • Database Administrator (DBA) • Query language • Ex: Structured Query Language (SQL) • Inference attack • Enumerating low-privilege data to find missing items, which must be 
 high-privilege • Aggregation attack • Combining many low-privilege records to deduce high-privilege data
Types of Databases • Relational • Hierarchical • Object-oriented • Flat file • Simple text file
Relational Databases
Relational Database Terms • Tables have rows (records or tuples) and columns (fields or attributes) • Primary Key field is guaranteed to be unique, like a SSN • Foreign key is a field in another table that matched the primary key • Join connects two tables by a matching field
Integrity • Referential Integrity • Foreign keys match primary keys • Semantic Integrity • Field values match data type (no letters in numerical fields) • Entity Integrity • Each tuple has a non-null primary key
Database Normalization • Removes redundant data
Database Views • Contained user interface • Shows only some data and options • Like a PoS (Point of Sale) device
Data Dictionary • Describes the tables • This is metadata -- data about data • Database schema • Describes the attributes and values of the tables
Query Languages • Two subsets of commands • Data Definition Language (DDL) • Data Manipulation Language (DML) • Structured Query Language (SQL) is the most common query language • Many types • MySQL, ANSI SQL (used by Microsoft), PL/SQL (Procedural Language/SQL, used by Oracle), and more
Common SQL Commands • SELECT * FROM Employees WHERE Title = "DETECTIVE"
Hierarchical Databases • A tree, like DNS
Object-Oriented Databases • Combines data and functions in an object-oriented framework • Uses Object Oriented Programming (OOP) • and Object Database Management System (OBMS)
Database Integrity • Mitigate unauthorized data modification • Two users may attempt to change the same record simultaneously • The DBMS attempts to commit an update • If the commit is unsuccessful, the DBMS can rollback and restore from a save point • Database journal logs all transactions
Database Replication and Shadowing • Highly Available (HA) databases • Multiple servers • Multiple copies of tables • Database replication • Mirrors a live database • Original and copy are in use, serving clients • Shadow database • Live backup, not used
Data Warehousing and Data Mining • Data Warehouse • A large collection of data • Terabytes (1000 GB) • Petabytes (1000 TB) • Data Mining • Searching for patterns • Ex: finding credit card fraud
Object-Oriented Design and Programming
Object-Oriented Programming (OOP) • A program is a series of connected objects that communicate via messages • Ex: Java, C++, Smalltalk, Ruby • Objects contain data and methods • Objects provide data hiding • Internal structure not visible from the outside • Also called encapsulation
Object-Oriented Programming Concepts • Objects • Methods • Messages • Inheritance • Delegation • Polymorphism • Polyinstantiation
Example • Addy is an object • It has a method of addition • Input message is "1+2" • Output message is "3"
Delegation and Polymorphism
Polyinstantiation • Multiple records for the same primary key, with different clearance levels
Object Request Brokers (ORBs) • Middleware • Connect programs to other programs • Object search engines • Common ORBs • COM, DCOM, CORBA
COM and DCOM • Component Object Model • Distributed Component Object Model • From Microsoft • Allows objects written in different OOP languages to communicate • Assemble a program by connecting components together like puzzle pieces • Includes ActiveX objects and Object Linking and Embedding (OLE) • COM and DCOM are being supplanted by Microsoft.NET
CORBA • Common Object Request Broker Architecture • Open vendor-neutral framework • Competes with Microsoft's proprietary DCOM • Objects communicate via Interface Definition Language (IDL)
Object-Oriented Analysis (OOA) & Object-Oriented Design (OOD) • Object-Oriented Analysis (OOA) • Analyzes a problem domain • Identifies all objects and interactions • Object-Oriented Design (OOD) • Then develops the solution
Assessing the Effectiveness of Software Security
Software Vulnerabilities • 15-50 errors per 1000 lines of code • Windows Vista has 50 million lines of code
Types of Software Vulnerabilities • Hard-coded credentials • Buffer overflow • SQL injection • Directory path traversal • PHP Remote File Inclusion
Buffer Overflow • Program reserves space for a variable • Ex: name[20] • User submits data that's too long to fit • Data written beyond the reserved space and corrupts memory • Can lead to Remote Code Execution
TOCTOU / Race Conditions • Time of Check/Time of Use (TOCTOU) attacks (also called Race Conditions) • A brief time of vulnerability • Attacker needs to "win the race"
Cross-Site Scripting (XSS) • Insert Javascript into a page • For example, a comment box • The code executes on another user's machine • BeEF (Browser Exploitation Framework) • Allows an attacker to control targets' browsers
Cross-Site Request Forgery (CSRF) • Trick a user into executing an unintended action • With a malicious URL • Or by using a stolen cookie
Privilege Escalation • Vertical escalation • Attacker increases privilege level • To "Administrator", "root", or "SYSTEM" • Horizontal escalation • To another user's account
Backdoor • Shortcut into a system, bypassing security checks like username/password • May be through exploiting a vulnerability • Or a backdoor account left in the system by its developer
Disclosure • Actions taken by a security researcher after finding a software vulnerability • Full Disclosure • Release all details publicly • Responsible Disclosure • Tell vendor privately • Give them time to patch it
Software Capability Maturity Model (CMM) • From Carnegie Mellon • A methodical framework for creating quality software
Five Levels of CMM 1. Initial - ad-hoc & chaotic • Depends on individual effort 2. Repeatable - basic project management 3. Defined • Documented standardized process 4. Managed • Controlled, measured process & quality 5. Optimizing • Continual process improvement
Acceptance Testing • ISTQB (International Software Testing Qualifications Board) has 4 levels • User acceptance test • Operational acceptance test • Contract acceptance testing • Compliance acceptance testing
Security Impact of Acquired Software • Commercial Off-the-Shelf (COTS) Software • Compare vendor claims with third-party research • Consider vendors going out of business, and support • Custom-Developed Third Party Products • Service Level Agreements (SLA) are vital
Artificial Intelligence
Expert Systems • Two components • Knowledge Base • If/then statements • Contain rules that the expert system uses to make decisions • Inference Engine • Follows the tree formed by the knowledge base
Multi-Layer Artificial Neural Network • Simulates real brains
Bayesian Filtering • Looks for probabilities of words in spam v. good email
Genetic Algorithms and Programming • Simulates evolution
8. Software Development Security

Empfohlen

7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development Security
Alfred Ouyang
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
Marcelo Martins
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
Onapsis Inc.
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 

Empfohlen

7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development Security
Alfred Ouyang
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
Marcelo Martins
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
Onapsis Inc.
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
Karthikeyan Dhayalan
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
CSSLP Course
CSSLP CourseCSSLP Course
CSSLP Course
Masoud Ostad
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
EC-Council
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
G Prachi
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
CompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 updateCompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 update
Infosec
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
btpsec
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
Maxime ALAY-EDDINE
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Domain 4 - Communications and Network Security
Domain 4 - Communications and Network SecurityDomain 4 - Communications and Network Security
Domain 4 - Communications and Network Security
Maganathin Veeraragaloo
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
Antonio Fontes
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
Sam Bowne
 
Tech presentation (part 1)
Tech presentation (part 1)Tech presentation (part 1)
Tech presentation (part 1)
Abhijit Roy
 

Weitere ähnliche Inhalte

Was ist angesagt?

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
CompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 updateCompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 update
Infosec
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 

Was ist angesagt? (20)

CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
CSSLP Course
CSSLP CourseCSSLP Course
CSSLP Course
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
CompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 updateCompTIA Security+: Everything you need to know about the SY0-601 update
CompTIA Security+: Everything you need to know about the SY0-601 update
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Domain 4 - Communications and Network Security
Domain 4 - Communications and Network SecurityDomain 4 - Communications and Network Security
Domain 4 - Communications and Network Security
 
Security policies
Security policiesSecurity policies
Security policies
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 

Ähnlich wie 8. Software Development Security

KYSUC - Keep Your Schema Under Control
KYSUC - Keep Your Schema Under ControlKYSUC - Keep Your Schema Under Control
KYSUC - Keep Your Schema Under Control
Coimbra JUG
 
Managing Applications in CodeIgniter
Managing Applications in CodeIgniterManaging Applications in CodeIgniter
Managing Applications in CodeIgniter
Jamshid Hashimi
 
Distributed objects & components of corba
Distributed objects & components of corbaDistributed objects & components of corba
Distributed objects & components of corba
Mayuresh Wadekar
 
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
Jean Vanderdonckt
 

Ähnlich wie 8. Software Development Security (20)

8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
Tech presentation (part 1)
Tech presentation (part 1)Tech presentation (part 1)
Tech presentation (part 1)
 
David buksbaum a-briefintroductiontocsharp
David buksbaum a-briefintroductiontocsharpDavid buksbaum a-briefintroductiontocsharp
David buksbaum a-briefintroductiontocsharp
 
Hpc lunch and learn
Hpc lunch and learnHpc lunch and learn
Hpc lunch and learn
 
KYSUC - Keep Your Schema Under Control
KYSUC - Keep Your Schema Under ControlKYSUC - Keep Your Schema Under Control
KYSUC - Keep Your Schema Under Control
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never Before
 
Managing Applications in CodeIgniter
Managing Applications in CodeIgniterManaging Applications in CodeIgniter
Managing Applications in CodeIgniter
 
.Net programming with C#
.Net programming with C#.Net programming with C#
.Net programming with C#
 
Distributed objects & components of corba
Distributed objects & components of corbaDistributed objects & components of corba
Distributed objects & components of corba
 
Autoframework design
Autoframework designAutoframework design
Autoframework design
 
Introduction to CQRS - command and query responsibility segregation
Introduction to CQRS - command and query responsibility segregationIntroduction to CQRS - command and query responsibility segregation
Introduction to CQRS - command and query responsibility segregation
 
Why ruby and rails
Why ruby and railsWhy ruby and rails
Why ruby and rails
 
Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...
Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...
Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...
 
Composable Software Architecture with Spring
Composable Software Architecture with SpringComposable Software Architecture with Spring
Composable Software Architecture with Spring
 
Rajnish singh(presentation on oracle )
Rajnish singh(presentation on oracle )Rajnish singh(presentation on oracle )
Rajnish singh(presentation on oracle )
 
Oracle OpenWo2014 review part 03 three_paa_s_database
Oracle OpenWo2014 review part 03 three_paa_s_databaseOracle OpenWo2014 review part 03 three_paa_s_database
Oracle OpenWo2014 review part 03 three_paa_s_database
 
DataOps with Project Amaterasu
DataOps with Project AmaterasuDataOps with Project Amaterasu
DataOps with Project Amaterasu
 
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
 
U-SQL - Azure Data Lake Analytics for Developers
U-SQL - Azure Data Lake Analytics for DevelopersU-SQL - Azure Data Lake Analytics for Developers
U-SQL - Azure Data Lake Analytics for Developers
 
Software design with Domain-driven design
Software design with Domain-driven design Software design with Domain-driven design
Software design with Domain-driven design
 

Mehr von Sam Bowne

Mehr von Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
 

Kürzlich hochgeladen

Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Kürzlich hochgeladen (20)

Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 

8. Software Development Security

  • 3. Machine Code, Source Code, and Assembly Language • Machine code • Binary language built into CPU • Source code • Human-readable language like C • Assembly Language • Low-level commands one step above machine language • Commands like ADD, SUB, PUSH
  • 4. Compilers, Interpreters, and Bytecode • Compilers translate source code into machine code • Interpreters translate each line of code into machine code on the fly while the program runs • Bytecode is an intermediary form between source code and machine code, ready to be executed in a Java Virtual Machine
  • 5. Procedural and Object-Oriented Languages • Procedural languages use subroutines, procedures and functions • Ex: C, FORTRAN • Object-oriented languages define abstract objects • Have attributes and methods • Can inherit properties from parent objects • Ex: C++, Ruby, Python
  • 8. Computer-Aided Software Engineering (CASE) • Programs assist in creation and maintenance of other programs • Three types • Tools: support one task • Workbenches: Integrate several tools • Environments: Support entire process • 4GL, object-oriented languages, and GUIs are used as components of CASE
  • 9. Top-Down vs. Bottom-Up Programming • Top-Down • Starts with high-level requirements • Common with procedural languages • Bottom-Up • Starts with low-level technical implementation details • Common with object-oriented languages
  • 10. Types of Publicly Released Software • Closed Source • Source code is confidential • Open Source • Free Software • May cost $0, or be open to modify • Freeware: costs $0 • Shareware: free trial period • Crippleware: limited free version
  • 11. Software Licensing • Public domain (free to use) • Proprietary software is copyrighted, and sometimes patented • EULA (End User License Agreement) • Open-source licenses • GNU Public License (GPL) • Berkeley Software Distribution (BSD) • Apache
  • 13. Waterfall Model • From 1969 • One-way • No iteration • Unrealistic
  • 16. Agile Software Development • Agile methods include Scrum and Extreme Programming (XP) • Agile Manifesto
  • 17. Scrum • Stop running the relay race • Doing only one step and handing off the project • Take up rugby • A team goes the distance as a unit
  • 18. Extreme Programming (XP) • Pairs of programmers work off a detailed specification • Constant communication with fellow programmers and customers
  • 19. Spiral • Many rounds • Each round is a project; may use waterfall model • Risk analysis performed for each round
  • 20.
  • 21. Rapid Application Development (RAD) • Goal: quickly meet business needs • Uses prototypes, "dummy" GUIs, and back-end databases
  • 22. Prototyping • Breaks projects into smaller tasks • Create multiple mockups (prototypes) • Customer sees realistic-looking results long before the final product is completed
  • 23. SDLC • Systems Development Life Cycle • or Software Development Life Cycle • Security included in every phase • NIST Special Publication 800-14
  • 24. SDLC Phases • Initiation • Development / Acquisition • Implementation • Operation • Disposal • Security plan should be first step
  • 25. SDLC Overview • Prepare security plan • Initiation: define need and purpose • Sensitivity Assessment • Development / Acquisition • Determine security requirements and incorporate them into specifications • Implementation • Install controls, security testing, accreditation
  • 26. SDLC Overview • Operation / Maintenance • Security operations and administration: backups, training, key management, etc. • Audits and monitoring • Disposal • Archiving • Media sanitization
  • 27. Integrated Product Teams • A customer-focused group that focuses on the entire lifecycle of a project • More agile than traditional hierarchical teams
  • 28. Software Escrow • Third party archives source code of proprietary software • Source code is revealed if the product is orphaned
  • 29. Code Repository Security • Like GitHub • Contents must be protected • Developers shouldn't publish code that contains secrets
  • 30. Security of Application Programming Interfaces (APIs) • API allows apps to use a service, like Facebook • API exploits abuse the API to compromise security
  • 32. Software Change and Configuration Management • Ensures that changes occur in an orderly fashion, and don't harm security • NIST SP 80-128 describes a Configuration Management Plan (CMP) • Configuration Control Board (CCB) • Configuration Item Identification • Configuration Change Control • Configuration Monitoring
  • 33. DevOps • Old system had strict separation of duties between developers, quality assurance, and production • DevOps is more agile, with everyone working together in the entire service lifecycle
  • 34.
  • 36. Database • Structured collection of data • Databases allow • Queries (searches) • Insertions • Deletions • Database Management Systems (DBMS) • Controls all access to the database • Enforces database security
  • 37. Database Concepts • Database Administrator (DBA) • Query language • Ex: Structured Query Language (SQL) • Inference attack • Enumerating low-privilege data to find missing items, which must be 
 high-privilege • Aggregation attack • Combining many low-privilege records to deduce high-privilege data
  • 38. Types of Databases • Relational • Hierarchical • Object-oriented • Flat file • Simple text file
  • 40. Relational Database Terms • Tables have rows (records or tuples) and columns (fields or attributes) • Primary Key field is guaranteed to be unique, like a SSN • Foreign key is a field in another table that matched the primary key • Join connects two tables by a matching field
  • 41. Integrity • Referential Integrity • Foreign keys match primary keys • Semantic Integrity • Field values match data type (no letters in numerical fields) • Entity Integrity • Each tuple has a non-null primary key
  • 42.
  • 44. Database Views • Contained user interface • Shows only some data and options • Like a PoS (Point of Sale) device
  • 45. Data Dictionary • Describes the tables • This is metadata -- data about data • Database schema • Describes the attributes and values of the tables
  • 46.
  • 47. Query Languages • Two subsets of commands • Data Definition Language (DDL) • Data Manipulation Language (DML) • Structured Query Language (SQL) is the most common query language • Many types • MySQL, ANSI SQL (used by Microsoft), PL/SQL (Procedural Language/SQL, used by Oracle), and more
  • 48. Common SQL Commands • SELECT * FROM Employees WHERE Title = "DETECTIVE"
  • 50. Object-Oriented Databases • Combines data and functions in an object-oriented framework • Uses Object Oriented Programming (OOP) • and Object Database Management System (OBMS)
  • 51. Database Integrity • Mitigate unauthorized data modification • Two users may attempt to change the same record simultaneously • The DBMS attempts to commit an update • If the commit is unsuccessful, the DBMS can rollback and restore from a save point • Database journal logs all transactions
  • 52. Database Replication and Shadowing • Highly Available (HA) databases • Multiple servers • Multiple copies of tables • Database replication • Mirrors a live database • Original and copy are in use, serving clients • Shadow database • Live backup, not used
  • 53. Data Warehousing and Data Mining • Data Warehouse • A large collection of data • Terabytes (1000 GB) • Petabytes (1000 TB) • Data Mining • Searching for patterns • Ex: finding credit card fraud
  • 55. Object-Oriented Programming (OOP) • A program is a series of connected objects that communicate via messages • Ex: Java, C++, Smalltalk, Ruby • Objects contain data and methods • Objects provide data hiding • Internal structure not visible from the outside • Also called encapsulation
  • 56. Object-Oriented Programming Concepts • Objects • Methods • Messages • Inheritance • Delegation • Polymorphism • Polyinstantiation
  • 57. Example • Addy is an object • It has a method of addition • Input message is "1+2" • Output message is "3"
  • 59. Polyinstantiation • Multiple records for the same primary key, with different clearance levels
  • 60. Object Request Brokers (ORBs) • Middleware • Connect programs to other programs • Object search engines • Common ORBs • COM, DCOM, CORBA
  • 61. COM and DCOM • Component Object Model • Distributed Component Object Model • From Microsoft • Allows objects written in different OOP languages to communicate • Assemble a program by connecting components together like puzzle pieces • Includes ActiveX objects and Object Linking and Embedding (OLE) • COM and DCOM are being supplanted by Microsoft.NET
  • 62. CORBA • Common Object Request Broker Architecture • Open vendor-neutral framework • Competes with Microsoft's proprietary DCOM • Objects communicate via Interface Definition Language (IDL)
  • 63. Object-Oriented Analysis (OOA) & Object-Oriented Design (OOD) • Object-Oriented Analysis (OOA) • Analyzes a problem domain • Identifies all objects and interactions • Object-Oriented Design (OOD) • Then develops the solution
  • 64.
  • 65.
  • 66. Assessing the Effectiveness of Software Security
  • 67. Software Vulnerabilities • 15-50 errors per 1000 lines of code • Windows Vista has 50 million lines of code
  • 68. Types of Software Vulnerabilities • Hard-coded credentials • Buffer overflow • SQL injection • Directory path traversal • PHP Remote File Inclusion
  • 69. Buffer Overflow • Program reserves space for a variable • Ex: name[20] • User submits data that's too long to fit • Data written beyond the reserved space and corrupts memory • Can lead to Remote Code Execution
  • 70. TOCTOU / Race Conditions • Time of Check/Time of Use (TOCTOU) attacks (also called Race Conditions) • A brief time of vulnerability • Attacker needs to "win the race"
  • 71. Cross-Site Scripting (XSS) • Insert Javascript into a page • For example, a comment box • The code executes on another user's machine • BeEF (Browser Exploitation Framework) • Allows an attacker to control targets' browsers
  • 72. Cross-Site Request Forgery (CSRF) • Trick a user into executing an unintended action • With a malicious URL • Or by using a stolen cookie
  • 73. Privilege Escalation • Vertical escalation • Attacker increases privilege level • To "Administrator", "root", or "SYSTEM" • Horizontal escalation • To another user's account
  • 74. Backdoor • Shortcut into a system, bypassing security checks like username/password • May be through exploiting a vulnerability • Or a backdoor account left in the system by its developer
  • 75. Disclosure • Actions taken by a security researcher after finding a software vulnerability • Full Disclosure • Release all details publicly • Responsible Disclosure • Tell vendor privately • Give them time to patch it
  • 76. Software Capability Maturity Model (CMM) • From Carnegie Mellon • A methodical framework for creating quality software
  • 77. Five Levels of CMM 1. Initial - ad-hoc & chaotic • Depends on individual effort 2. Repeatable - basic project management 3. Defined • Documented standardized process 4. Managed • Controlled, measured process & quality 5. Optimizing • Continual process improvement
  • 78. Acceptance Testing • ISTQB (International Software Testing Qualifications Board) has 4 levels • User acceptance test • Operational acceptance test • Contract acceptance testing • Compliance acceptance testing
  • 79. Security Impact of Acquired Software • Commercial Off-the-Shelf (COTS) Software • Compare vendor claims with third-party research • Consider vendors going out of business, and support • Custom-Developed Third Party Products • Service Level Agreements (SLA) are vital
  • 81. Expert Systems • Two components • Knowledge Base • If/then statements • Contain rules that the expert system uses to make decisions • Inference Engine • Follows the tree formed by the knowledge base
  • 82. Multi-Layer Artificial Neural Network • Simulates real brains
  • 83. Bayesian Filtering • Looks for probabilities of words in spam v. good email
  • 84. Genetic Algorithms and Programming • Simulates evolution