SlideShare una empresa de Scribd logo

CISSP Prep: Ch 9. Software Development Security

Sam Bowne
Sam Bowne

The document discusses various topics related to software development security including programming concepts, compilers and interpreters, procedural vs object-oriented programming, software development lifecycles, agile development methods, database security, and object-oriented design. It also covers assessing software security through vulnerabilities, maturity models, and testing as well as artificial intelligence techniques.

Educación
1 de 82
Descargar para leer sin conexión
CNIT 125: Information Security Professional (CISSP Preparation) Ch 9. Software Development Security
Programming Concepts
Machine Code, Source Code, and Assembly Language • Machine code • Binary language built into CPU • Source code • Human-readable language like C • Assembly Language • Low-level commands one step above machine language • Commands like ADD, SUB, PUSH
Compilers, Interpreters, and Bytecode • Compilers translate source code into machine code • Interpreters translate each line of code into machine code on the fly while the program runs • Bytecode is an intermediary form between source code and machine code, ready to be executed in a Java Virtual Machine
Procedural and Object-Oriented Languages • Procedural languages use subroutines, procedures and functions • Ex: C, FORTRAN • Object-oriented languages define abstract objects • Have attributes and methods • Can inherit properties from parent objects • Ex: C++, Ruby, Python
Metasploit Source Code • Link Ch 9a
Fourth-Generation Programming Languages (4GL) • Automate creation of code
Computer-Aided Software Engineering (CASE) • Programs assist in creation and maintenance of other programs • Three types • Tools: support one task • Workbenches: Integrate several tools • Environments: Support entire process • 4GL, object-oriented languages, and GUIs are used as components of CASE
Top-Down vs. Bottom-Up Programming • Top-Down • Starts with high-level requirements • Common with procedural languages • Bottom-Up • Starts with low-level technical implementation details • Common with object-oriented languages
Types of Publicly Released Software • Closed Source • Source code is confidential • Open Source • Free Software • May cost $0, or be open to modify • Freeware: costs $0 • Shareware: free trial period • Crippleware: limited free version
Software Licensing • Public domain (free to use) • Proprietary software is copyrighted, and sometimes patented • EULA (End User License Agreement) • Open-source licenses • GNU Public License (GPL) • Berkeley Software Distribution (BSD) • Apache
Application Development Methods
Waterfall Model • From 1969 • One-way • No iteration • Unrealistic
Modified Waterfall Model
Sashimi Model • Steps overlap
Agile Software Development • Agile methods include Scrum and Extreme Programming (XP) • Agile Manifesto
Scrum • Stop running the relay race • Doing only one step and handing off the project • Take up rugby • A team goes the distance as a unit
Extreme Programming (XP) • Pairs of programmers work off a detailed specification • Constant communication with fellow programmers and customers
Spiral • Many rounds • Each round is a project; may use waterfall model • Risk analysis performed for each round
Rapid Application Development (RAD) • Goal: quickly meet business needs • Uses prototypes, "dummy" GUIs, and back-end databases
Prototyping • Breaks projects into smaller tasks • Create multiple mockups (prototypes) • Customer sees realistic-looking results long before the final product is completed
SDLC • Systems Development Live Cycle • or Software Development Live Cycle • Security included in every phase • NIST Special Publication 800-14
SDLC Phases • Initiation • Development / Acquisition • Implementation • Operation • Disposal • Security plan should be first step
SDLC Overview • Prepare security plan • Initiation: define need and purpose • Sensitivity Assessment • Development / Acquisition • Determine security requirements and incorporate them into specifications • Implementation • Install controls, security testing, accreditation
SDLC Overview • Operation / Maintenance • Security operations and administration: backups, training, key management, etc. • Audits and monitoring • Disposal • Archiving • Media sanitization
Integrated Product Teams • A customer-focused group that focuses on the entire lifecycle of a project • More agile than traditional hierarchical teams
Software Escrow • Third party archives source code of proprietary software • Source code is revealed if the product is orphaned
Code Repository Security • Like GitHub • Contents must be protected • Developers shouldn't publish code that contains secrets
Security of Application Programming Interfaces (APIs) • API allows apps to use a service, like Facebook • API exploits abuse the API to compromise security
OWASP Enterprise Security API Toolkits
Software Change and Configuration Management • Ensures that changes occur in an orderly fashion, and don't harm security • NIST SP 80-128 describes a Configuration Management Plan (CMP) • Configuration Control Board (CCB) • Configuration Item Identification • Configuration Change Control • Configuration Monitoring
DevOps • Old system had strict separation of duties between developers, quality assurance, and production • DevOps is more agile, with everyone working together in the entire service lifecycle
Databases
Database • Structured collection of data • Databases allow • Queries (searches) • Insertions • Deletions • Database Management Systems (DBMS) • Controls all access to the database • Enforces database security
Database Concepts • Database Administrator (DBA) • Query language • Ex: Structured Query Language (SQL) • Inference attack • Enumerating low-privilege data to find missing items, which must be 
 high-privilege • Aggregation attack • Combining many low-privilege records to deduce high-privilege data
Types of Databases • Relational • Hierarchical • Object-oriented • Flat file • Simple text file
Relational Databases
Relational Database Terms • Tables have rows (records or tuples) and columns (fields or attributes) • Primary Key field is guaranteed to be unique, like a SSN • Foreign key is a field in another table that matched the primary key • Join connects two tables by a matching field
Integrity • Referential Integrity • Foreign keys match primary keys • Semantic Integrity • Field values match data type (no letters in numerical fields) • Entity Integrity • Each tuple has a non-null primary key
Database Normalization • Removes redundant data
Database Views • Contained user interface • Shows only some data and options • Like a PoS (Point of Sale) device
Data Dictionary • Describes the tables • This is metadata -- data about data • Database schema • Describes the attributes and values of the tables
Query Languages • Two subsets of commands • Data Definition Language (DDL) • Data Manipulation Language (DML) • Structured Query Language (SQL) is the most common query language • Many types • MySQL, ANSI SQL (used by Microsoft), PL/SQL (Procedural Language/SQL, used by Oracle), and more
Common SQL Commands • SELECT * FROM Employees WHERE Title = "DETECTIVE"
Hierarchical Databases • A tree, like DNS
Object-Oriented Databases • Combines data and functions in an object-oriented framework • Uses Object Oriented Programming (OOP) • and Object Database Management System (OBMS)
Database Integrity • Mitigate unauthorized data modification • Two users may attempt to change the same record simultaneously • The DBMS attempts to commit an update • If the commit is unsuccessful, the DBMS can rollback and restore from a save point • Database journal logs all transactions
Database Replication and Shadowing • Highly Available (HA) databases • Multiple servers • Multiple copies of tables • Database replication • Mirrors a live database • Original and copy are in use, serving clients • Shadow database • Live backup, not used
Data Warehousing and Data Mining • Data Warehouse • A large collection of data • Terabytes (1000 GB) • Petabytes (1000 TB) • Data Mining • Searching for patterns • Ex: finding credit card fraud
Object-Oriented Design and Programming
Object-Oriented Programming (OOP) • A program is a series of connected objects that communicate via messages • Ex: Java, C++, Smalltalk, Ruby • Objects contain data and methods • Objects provide data hiding • Internal structure not visible from the outside • Also called encapsulation
Object-Oriented Programming Concepts • Objects • Methods • Messages • Inheritance • Delegation • Polymorphism • Polyinsstantiation
Example • Addy is an object • It has a method of addition • Input message is "1+2" • Output message is "3"
Example
Polyinstantiation • Multiple records for the same primary key, with different clearance levels
Object Request Brokers (ORBs) • Middleware • Connect programs to other programs • Object search engines • Common ORBs • COM, DCOM, CORBA
COM and DCOM • Component Object Model • Distributed Component Object Model • From Microsoft • Allows objects written in different OOP languages to communicate • Assemble a program by connecting components together like puzzle pieces • Includes ActiveX objects and Object Linking and Embedding (OLE) • COM and DCOM are being supplanted by Microsoft.NET
CORBA • Common Object Request Broker Architecture • Open vendor-neutral framework • Competes with Microsoft's proprietary DCOM • Objects communicate via Interface Definition Language (IDL)
Object-Oriented Analysis (OOA) & Object-Oriented Design (OOD) • Object-Oriented Analysis (OOA) • Analyzes a problem domain • Identifies all objects and interactions • Object-Oriented Design (OOD) • Then develops the solution
Assessing the Effectiveness of Software Security
Software Vulnerabilities • 15-50 errors per 1000 lines of code • Windows Vista has 50 million lines of code
Types of Software Vulnerabilities • Hard-coded credentials • Buffer overflow • SQL injection • Directory path traversal • PHP Remote File Inclusion
Buffer Overflow • Program reserves space for a variable • Ex: name[20] • User submits data that's too long to fit • Data written beyond the reserved space and corrupts memory • Can lead to Remote Code Execution
TOCTOU / Race Conditions • Time of Check/Time of Use (TOCTOU) attacks (also called Race Conditions) • A brief time of vulnerability • Attacker needs to "win the race"
Cross-Site Scripting (XSS) • Insert Javascript into a page • For example, a comment box • The code executes on another user's machine • BeEF (Browser Exploitation Framework) • Allows an attacker to control targets' browsers
Cross-Site Request Forgery (CSRF) • Trick a user into executing an unintended action • With a malicious URL • Or by using a stolen cookie
Privilege Escalation • Vertical escalation • Attacker increases privilege level • To "Administrator", "root", or "SYSTEM" • Horizontal escalation • To another user's account
Backdoor • Shortcut into a system, bypassing security checks like username/password • May be through exploiting a vulnerability • Or a backdoor account left in the system by its developer
Disclosure • Actions taken by a security researcher after finding a software vulnerability • Full Disclosure • Release all details publicly • Responsible Disclosure • Tell vendor privately • Give them time to patch it
Software Capability Maturity Model (CMM) • From Carnegie Mellon • A methodical framework for creating quality software
Five Levels of CMM 1. Initial - ad-hoc & chaotic • Depends on individual effort 2. Repeatable - basic project management 3. Defined • Documented standardized process 4. Managed • Controlled, measured process & quality 5. Optimizing • Continual process improvement
Acceptance Testing • ISTQB (International Software Testing Qualifications Board) has 4 levels • User acceptance test • Operational acceptance test • Contract acceptance testing • Compliance acceptance testing
Security Impact of Acquired Software • Commercial Off-the-Shelf (COTS) Software • Compare vendor claims with third-party research • Consider vendors going out of business, and support • Custom-Developed Third Party Products • Service Level Agreements (SLA) are vital
Artificial Intelligence
Expert Systems • Two components • Knowledge Base • If/then statements • Contain rules that the expert system uses to make decisions • Inference Engine • Follows the tree formed by the knowledge base
Multi-Layer Artificial Neural Network • Simulates real brains
Bayesian Filtering • Looks for probabilities of words in spam v. good email
Genetic Algorithms and Programming • Simulates evolution

Recomendados

8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development SecurityAlfred Ouyang
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 

Recomendados

8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
7 Software Development Security
7 Software Development Security7 Software Development Security
7 Software Development SecurityAlfred Ouyang
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDEGirindro Pringgo Digdo
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Devops Devops Devops, at Froscon
Devops Devops Devops, at FrosconDevops Devops Devops, at Froscon
Devops Devops Devops, at FrosconKris Buytaert
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRobert Grupe, CSSLP CISSP PE PMP
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onJustin Henderson
 
Ch11 Basic Cryptography
Ch11 Basic CryptographyCh11 Basic Cryptography
Ch11 Basic CryptographyInformation Technology
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Ivanti
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptxSandeshUprety4
 
Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Zscaler
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Infrastructure as Code for Azure: ARM or Terraform?
Infrastructure as Code for Azure: ARM or Terraform?Infrastructure as Code for Azure: ARM or Terraform?
Infrastructure as Code for Azure: ARM or Terraform?Katherine Golovinova
 
User authentication
User authenticationUser authentication
User authenticationCAS
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
David buksbaum a-briefintroductiontocsharp
David buksbaum a-briefintroductiontocsharpDavid buksbaum a-briefintroductiontocsharp
David buksbaum a-briefintroductiontocsharpJorge Antonio Contre Vargas
 

Más contenido relacionado

La actualidad más candente

Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Devops Devops Devops, at Froscon
Devops Devops Devops, at FrosconDevops Devops Devops, at Froscon
Devops Devops Devops, at FrosconKris Buytaert
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onJustin Henderson
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Ivanti
 
Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Zscaler
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
Infrastructure as Code for Azure: ARM or Terraform?
Infrastructure as Code for Azure: ARM or Terraform?Infrastructure as Code for Azure: ARM or Terraform?
Infrastructure as Code for Azure: ARM or Terraform?Katherine Golovinova
 
User authentication
User authenticationUser authentication
User authenticationCAS
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 

La actualidad más candente (20)

Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
Devops Devops Devops, at Froscon
Devops Devops Devops, at FrosconDevops Devops Devops, at Froscon
Devops Devops Devops, at Froscon
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
 
Ch11 Basic Cryptography
Ch11 Basic CryptographyCh11 Basic Cryptography
Ch11 Basic Cryptography
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
 
Infrastructure as Code for Azure: ARM or Terraform?
Infrastructure as Code for Azure: ARM or Terraform?Infrastructure as Code for Azure: ARM or Terraform?
Infrastructure as Code for Azure: ARM or Terraform?
 
User authentication
User authenticationUser authentication
User authentication
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 

Similar a CISSP Prep: Ch 9. Software Development Security

8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
Tech presentation (part 1)
Tech presentation (part 1)Tech presentation (part 1)
Tech presentation (part 1)Abhijit Roy
 
Hpc lunch and learn
Hpc lunch and learnHpc lunch and learn
Hpc lunch and learnJohn D Almon
 
KYSUC - Keep Your Schema Under Control
KYSUC - Keep Your Schema Under ControlKYSUC - Keep Your Schema Under Control
KYSUC - Keep Your Schema Under ControlCoimbra JUG
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeFrancis Alexander
 
.Net programming with C#
.Net programming with C#.Net programming with C#
.Net programming with C#NguynSang29
 
Introduction to CQRS - command and query responsibility segregation
Introduction to CQRS - command and query responsibility segregationIntroduction to CQRS - command and query responsibility segregation
Introduction to CQRS - command and query responsibility segregationAndrew Siemer
 
Distributed objects & components of corba
Distributed objects & components of corbaDistributed objects & components of corba
Distributed objects & components of corbaMayuresh Wadekar
 
Autoframework design
Autoframework designAutoframework design
Autoframework designForge Events
 
Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...
Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...
Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...Lucas Jellema
 
Managing Applications in CodeIgniter
Managing Applications in CodeIgniterManaging Applications in CodeIgniter
Managing Applications in CodeIgniterJamshid Hashimi
 
Rajnish singh(presentation on oracle )
Rajnish singh(presentation on oracle )Rajnish singh(presentation on oracle )
Rajnish singh(presentation on oracle )Rajput Rajnish
 
Composable Software Architecture with Spring
Composable Software Architecture with SpringComposable Software Architecture with Spring
Composable Software Architecture with SpringSam Brannen
 
U-SQL - Azure Data Lake Analytics for Developers
U-SQL - Azure Data Lake Analytics for DevelopersU-SQL - Azure Data Lake Analytics for Developers
U-SQL - Azure Data Lake Analytics for DevelopersMichael Rys
 
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...Jean Vanderdonckt
 
IBM InterConnect 2015 - IIB Effective Application Development
IBM InterConnect 2015 - IIB Effective Application DevelopmentIBM InterConnect 2015 - IIB Effective Application Development
IBM InterConnect 2015 - IIB Effective Application DevelopmentAndrew Coleman
 

Similar a CISSP Prep: Ch 9. Software Development Security (20)

8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
David buksbaum a-briefintroductiontocsharp
David buksbaum a-briefintroductiontocsharpDavid buksbaum a-briefintroductiontocsharp
David buksbaum a-briefintroductiontocsharp
 
Tech presentation (part 1)
Tech presentation (part 1)Tech presentation (part 1)
Tech presentation (part 1)
 
Hpc lunch and learn
Hpc lunch and learnHpc lunch and learn
Hpc lunch and learn
 
KYSUC - Keep Your Schema Under Control
KYSUC - Keep Your Schema Under ControlKYSUC - Keep Your Schema Under Control
KYSUC - Keep Your Schema Under Control
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never Before
 
.Net programming with C#
.Net programming with C#.Net programming with C#
.Net programming with C#
 
Introduction to CQRS - command and query responsibility segregation
Introduction to CQRS - command and query responsibility segregationIntroduction to CQRS - command and query responsibility segregation
Introduction to CQRS - command and query responsibility segregation
 
Distributed objects & components of corba
Distributed objects & components of corbaDistributed objects & components of corba
Distributed objects & components of corba
 
Autoframework design
Autoframework designAutoframework design
Autoframework design
 
Why ruby and rails
Why ruby and railsWhy ruby and rails
Why ruby and rails
 
Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...
Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...
Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...
 
Managing Applications in CodeIgniter
Managing Applications in CodeIgniterManaging Applications in CodeIgniter
Managing Applications in CodeIgniter
 
Rajnish singh(presentation on oracle )
Rajnish singh(presentation on oracle )Rajnish singh(presentation on oracle )
Rajnish singh(presentation on oracle )
 
DataOps with Project Amaterasu
DataOps with Project AmaterasuDataOps with Project Amaterasu
DataOps with Project Amaterasu
 
Composable Software Architecture with Spring
Composable Software Architecture with SpringComposable Software Architecture with Spring
Composable Software Architecture with Spring
 
U-SQL - Azure Data Lake Analytics for Developers
U-SQL - Azure Data Lake Analytics for DevelopersU-SQL - Azure Data Lake Analytics for Developers
U-SQL - Azure Data Lake Analytics for Developers
 
Node.js
Node.jsNode.js
Node.js
 
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
 
IBM InterConnect 2015 - IIB Effective Application Development
IBM InterConnect 2015 - IIB Effective Application DevelopmentIBM InterConnect 2015 - IIB Effective Application Development
IBM InterConnect 2015 - IIB Effective Application Development
 

Más de Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers Sam Bowne
 

Más de Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
 

Último

Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024Elizabeth Walsh
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfssuserdda66b
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsKarakKing
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 

Último (20)

Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 

CISSP Prep: Ch 9. Software Development Security

  • 3. Machine Code, Source Code, and Assembly Language • Machine code • Binary language built into CPU • Source code • Human-readable language like C • Assembly Language • Low-level commands one step above machine language • Commands like ADD, SUB, PUSH
  • 4. Compilers, Interpreters, and Bytecode • Compilers translate source code into machine code • Interpreters translate each line of code into machine code on the fly while the program runs • Bytecode is an intermediary form between source code and machine code, ready to be executed in a Java Virtual Machine
  • 5. Procedural and Object-Oriented Languages • Procedural languages use subroutines, procedures and functions • Ex: C, FORTRAN • Object-oriented languages define abstract objects • Have attributes and methods • Can inherit properties from parent objects • Ex: C++, Ruby, Python
  • 8. Computer-Aided Software Engineering (CASE) • Programs assist in creation and maintenance of other programs • Three types • Tools: support one task • Workbenches: Integrate several tools • Environments: Support entire process • 4GL, object-oriented languages, and GUIs are used as components of CASE
  • 9. Top-Down vs. Bottom-Up Programming • Top-Down • Starts with high-level requirements • Common with procedural languages • Bottom-Up • Starts with low-level technical implementation details • Common with object-oriented languages
  • 10. Types of Publicly Released Software • Closed Source • Source code is confidential • Open Source • Free Software • May cost $0, or be open to modify • Freeware: costs $0 • Shareware: free trial period • Crippleware: limited free version
  • 11. Software Licensing • Public domain (free to use) • Proprietary software is copyrighted, and sometimes patented • EULA (End User License Agreement) • Open-source licenses • GNU Public License (GPL) • Berkeley Software Distribution (BSD) • Apache
  • 13. Waterfall Model • From 1969 • One-way • No iteration • Unrealistic
  • 16. Agile Software Development • Agile methods include Scrum and Extreme Programming (XP) • Agile Manifesto
  • 17. Scrum • Stop running the relay race • Doing only one step and handing off the project • Take up rugby • A team goes the distance as a unit
  • 18. Extreme Programming (XP) • Pairs of programmers work off a detailed specification • Constant communication with fellow programmers and customers
  • 19. Spiral • Many rounds • Each round is a project; may use waterfall model • Risk analysis performed for each round
  • 20.
  • 21. Rapid Application Development (RAD) • Goal: quickly meet business needs • Uses prototypes, "dummy" GUIs, and back-end databases
  • 22. Prototyping • Breaks projects into smaller tasks • Create multiple mockups (prototypes) • Customer sees realistic-looking results long before the final product is completed
  • 23. SDLC • Systems Development Live Cycle • or Software Development Live Cycle • Security included in every phase • NIST Special Publication 800-14
  • 24. SDLC Phases • Initiation • Development / Acquisition • Implementation • Operation • Disposal • Security plan should be first step
  • 25. SDLC Overview • Prepare security plan • Initiation: define need and purpose • Sensitivity Assessment • Development / Acquisition • Determine security requirements and incorporate them into specifications • Implementation • Install controls, security testing, accreditation
  • 26. SDLC Overview • Operation / Maintenance • Security operations and administration: backups, training, key management, etc. • Audits and monitoring • Disposal • Archiving • Media sanitization
  • 27. Integrated Product Teams • A customer-focused group that focuses on the entire lifecycle of a project • More agile than traditional hierarchical teams
  • 28. Software Escrow • Third party archives source code of proprietary software • Source code is revealed if the product is orphaned
  • 29. Code Repository Security • Like GitHub • Contents must be protected • Developers shouldn't publish code that contains secrets
  • 30. Security of Application Programming Interfaces (APIs) • API allows apps to use a service, like Facebook • API exploits abuse the API to compromise security
  • 32. Software Change and Configuration Management • Ensures that changes occur in an orderly fashion, and don't harm security • NIST SP 80-128 describes a Configuration Management Plan (CMP) • Configuration Control Board (CCB) • Configuration Item Identification • Configuration Change Control • Configuration Monitoring
  • 33. DevOps • Old system had strict separation of duties between developers, quality assurance, and production • DevOps is more agile, with everyone working together in the entire service lifecycle
  • 35. Database • Structured collection of data • Databases allow • Queries (searches) • Insertions • Deletions • Database Management Systems (DBMS) • Controls all access to the database • Enforces database security
  • 36. Database Concepts • Database Administrator (DBA) • Query language • Ex: Structured Query Language (SQL) • Inference attack • Enumerating low-privilege data to find missing items, which must be 
 high-privilege • Aggregation attack • Combining many low-privilege records to deduce high-privilege data
  • 37. Types of Databases • Relational • Hierarchical • Object-oriented • Flat file • Simple text file
  • 39. Relational Database Terms • Tables have rows (records or tuples) and columns (fields or attributes) • Primary Key field is guaranteed to be unique, like a SSN • Foreign key is a field in another table that matched the primary key • Join connects two tables by a matching field
  • 40. Integrity • Referential Integrity • Foreign keys match primary keys • Semantic Integrity • Field values match data type (no letters in numerical fields) • Entity Integrity • Each tuple has a non-null primary key
  • 41.
  • 43. Database Views • Contained user interface • Shows only some data and options • Like a PoS (Point of Sale) device
  • 44. Data Dictionary • Describes the tables • This is metadata -- data about data • Database schema • Describes the attributes and values of the tables
  • 45.
  • 46. Query Languages • Two subsets of commands • Data Definition Language (DDL) • Data Manipulation Language (DML) • Structured Query Language (SQL) is the most common query language • Many types • MySQL, ANSI SQL (used by Microsoft), PL/SQL (Procedural Language/SQL, used by Oracle), and more
  • 47. Common SQL Commands • SELECT * FROM Employees WHERE Title = "DETECTIVE"
  • 49. Object-Oriented Databases • Combines data and functions in an object-oriented framework • Uses Object Oriented Programming (OOP) • and Object Database Management System (OBMS)
  • 50. Database Integrity • Mitigate unauthorized data modification • Two users may attempt to change the same record simultaneously • The DBMS attempts to commit an update • If the commit is unsuccessful, the DBMS can rollback and restore from a save point • Database journal logs all transactions
  • 51. Database Replication and Shadowing • Highly Available (HA) databases • Multiple servers • Multiple copies of tables • Database replication • Mirrors a live database • Original and copy are in use, serving clients • Shadow database • Live backup, not used
  • 52. Data Warehousing and Data Mining • Data Warehouse • A large collection of data • Terabytes (1000 GB) • Petabytes (1000 TB) • Data Mining • Searching for patterns • Ex: finding credit card fraud
  • 54. Object-Oriented Programming (OOP) • A program is a series of connected objects that communicate via messages • Ex: Java, C++, Smalltalk, Ruby • Objects contain data and methods • Objects provide data hiding • Internal structure not visible from the outside • Also called encapsulation
  • 55. Object-Oriented Programming Concepts • Objects • Methods • Messages • Inheritance • Delegation • Polymorphism • Polyinsstantiation
  • 56. Example • Addy is an object • It has a method of addition • Input message is "1+2" • Output message is "3"
  • 58. Polyinstantiation • Multiple records for the same primary key, with different clearance levels
  • 59. Object Request Brokers (ORBs) • Middleware • Connect programs to other programs • Object search engines • Common ORBs • COM, DCOM, CORBA
  • 60. COM and DCOM • Component Object Model • Distributed Component Object Model • From Microsoft • Allows objects written in different OOP languages to communicate • Assemble a program by connecting components together like puzzle pieces • Includes ActiveX objects and Object Linking and Embedding (OLE) • COM and DCOM are being supplanted by Microsoft.NET
  • 61. CORBA • Common Object Request Broker Architecture • Open vendor-neutral framework • Competes with Microsoft's proprietary DCOM • Objects communicate via Interface Definition Language (IDL)
  • 62. Object-Oriented Analysis (OOA) & Object-Oriented Design (OOD) • Object-Oriented Analysis (OOA) • Analyzes a problem domain • Identifies all objects and interactions • Object-Oriented Design (OOD) • Then develops the solution
  • 63.
  • 64. Assessing the Effectiveness of Software Security
  • 65. Software Vulnerabilities • 15-50 errors per 1000 lines of code • Windows Vista has 50 million lines of code
  • 66. Types of Software Vulnerabilities • Hard-coded credentials • Buffer overflow • SQL injection • Directory path traversal • PHP Remote File Inclusion
  • 67. Buffer Overflow • Program reserves space for a variable • Ex: name[20] • User submits data that's too long to fit • Data written beyond the reserved space and corrupts memory • Can lead to Remote Code Execution
  • 68. TOCTOU / Race Conditions • Time of Check/Time of Use (TOCTOU) attacks (also called Race Conditions) • A brief time of vulnerability • Attacker needs to "win the race"
  • 69. Cross-Site Scripting (XSS) • Insert Javascript into a page • For example, a comment box • The code executes on another user's machine • BeEF (Browser Exploitation Framework) • Allows an attacker to control targets' browsers
  • 70. Cross-Site Request Forgery (CSRF) • Trick a user into executing an unintended action • With a malicious URL • Or by using a stolen cookie
  • 71. Privilege Escalation • Vertical escalation • Attacker increases privilege level • To "Administrator", "root", or "SYSTEM" • Horizontal escalation • To another user's account
  • 72. Backdoor • Shortcut into a system, bypassing security checks like username/password • May be through exploiting a vulnerability • Or a backdoor account left in the system by its developer
  • 73. Disclosure • Actions taken by a security researcher after finding a software vulnerability • Full Disclosure • Release all details publicly • Responsible Disclosure • Tell vendor privately • Give them time to patch it
  • 74. Software Capability Maturity Model (CMM) • From Carnegie Mellon • A methodical framework for creating quality software
  • 75. Five Levels of CMM 1. Initial - ad-hoc & chaotic • Depends on individual effort 2. Repeatable - basic project management 3. Defined • Documented standardized process 4. Managed • Controlled, measured process & quality 5. Optimizing • Continual process improvement
  • 76. Acceptance Testing • ISTQB (International Software Testing Qualifications Board) has 4 levels • User acceptance test • Operational acceptance test • Contract acceptance testing • Compliance acceptance testing
  • 77. Security Impact of Acquired Software • Commercial Off-the-Shelf (COTS) Software • Compare vendor claims with third-party research • Consider vendors going out of business, and support • Custom-Developed Third Party Products • Service Level Agreements (SLA) are vital
  • 79. Expert Systems • Two components • Knowledge Base • If/then statements • Contain rules that the expert system uses to make decisions • Inference Engine • Follows the tree formed by the knowledge base
  • 80. Multi-Layer Artificial Neural Network • Simulates real brains
  • 81. Bayesian Filtering • Looks for probabilities of words in spam v. good email
  • 82. Genetic Algorithms and Programming • Simulates evolution