Application Security

by:M. Faisal Naqvi, CISSPSenior Consultant – Information Security

NetSol Technologies Ltd.

AGENDA

Programming Concepts Threats and Malware Software Protection Audit & Assurance Mechanisms Database Data Warehouse Environment Web Application Environment

Programming Concepts

Application vs. Operating System

Project Management ControlsComplexity of Systems and ProjectsControls Built into Software

Generations of Programming Languages Generation I – Machine Language Generation II – Assembly Language Generation III – High-level Language Generation IV – Very high-level Language Generation V – Natural Language

Programming Languages

COBOL, Fortran C, C-Plus, C++ SmallTalk, Java, Eiffel Visual Programming Languages

Visual Basic, Visual C, Delphi BASIC, Logo, JavaScript

HTML, XML and ActiveX

HTML XML ActiveX

Program Utilities

Assembler Compiler Interpreter

Programming Concepts

System Model Von Neumann Architecture Object-Oriented Programming (OOP)

InheritancePolymorphismPolyinstantiation

Programming Concepts (Cont…)

Distributed Component Object Model (DCOM) Common Object Request Broker Architecture (CORBA)

Policy Enforcement Code

ORB Security System

1. Client Application sends Message

3. Target Object

2. Policy Implemented here

Threats & Malware

Buffer Overflow Denial of Service Time of Check/Time of Use (TOC/TOU)

Threats & Malware (Cont…)

Malformed Input AttacksSQL InjectionUnicode Attack

Executable Content/Mobile CodeWeb AppletsDynamic E-mail

Object Reuse Garbage Collection Trap Door

Incomplete Parameter Check and Enforcement

Covert Channels Inadequate Granularity of Controls Social Engineering Multiple Paths to Information

Malicious SoftwareModern malware is network awareCompatibility Platform DominanceMalware Functionality

Reproduction – Central Characteristic Generally requires some action by the

userMay or may not carry payloads

Virus Types

File Infector Boot Sector Infector System Infector Multipartite Macro Virus Script Virus Hoax

Virus Anti-Detection

Stealth Tunneling Polymorphism Antivirus (anti-malware) Disabling

Virus Structure

Infection/ReproductionTarget Search InfectionAvoidance

Trigger Payload

Reproduces Generally use loopholes in systems

May not involve user Often attacks server software

Trojan Horse

Purported to be a positive utility Hidden negative payload Social Engineering

Logic Bomb

Generally Implanted by an Insider Waits for condition or time Triggers negative payload

Diddlers Backdoors and Rats

Data Diddler Backdoor, Trapdoor RAT (Remote Access Trojan)

Threats & Malware

D-DOS Zombie Prank Spyware and Adware Phishing BotNets

Software Protection

System Life Cycle

Project Management-based Methodology Typical Phases of a System Life Cycle

System Life Cycle (Cont…)

Project Initiation and Planning

Establish User Requirements

Identify Alternatives

Select/Approve Approach

Determine Security

Requirements

Conduct Risk Analysis

Define Security Strategy

Required Security Activities

System Life Cycle (Cont…) Functional Design Definition

Develop Project

Identify Functional

Requirements

Set Test

Criteria

Identify Security Areas

Security Tools

Include Security Reqs. in RFP’s

ContractsRequired Security Activities

Define Strategy

Develop Functional Baseline

Establish Security

Requirements

Include Functional Security Reqs.

System Life Cycle (Cont…) Detailed Design Specifications

Prepare Detailed Designs

Update Testing Goals

and Plans

Develop Formal

Baseline

Establish Security

Specifications

Update Security Test Plans

Document Security Baseline

System Life Cycle (Cont…) Develop & Document

Develop System

Unit Testing & Evaluation

Document System

Develop Security Code

Security Code Evaluation

Document Security Code

System Life Cycle (Cont…) Acceptance, Testing and Transition to Production

Test Validate Implement

Security Components

Security Code

Security Controls

Document Certify

Security in Integrated

System

Secure Operations

Accept

Secure System

Security Components

Integrated System

Project Manuals

Security Performance

Acceptance Test

System

System Life Cycle (Cont…) Decommissioning / Disposal

Critical Data Recovered or DestroyedMedia sanitized or destroyedSoftware removal

Software Development Methods

Waterfall Spiral Clean-room Structured Programming Development

Software Development Methods (Cont…) Iterative Development Joint Analysis Development (JAD) Prototyping Modified Prototype Model (MPM) Explanatory Model Rapid Application Development (RAD)

Software Development Methods

Reuse Model Computer Aided Software Engineering

(CASE) Component Based Development Extreme Programming

Additional Software Protection Mechanisms Cryptography Access Controls Open Source Social Engineering Awareness Backup and Redundancy Controls Malicious Code Control Documentation and Common Program Controls Testing and Evaluation Mobile Code Controls Data Containment Controls

Audit & Assurance Mechanisms

Auditing and Assurance Mechanisms Information Integrity Information Auditing Malware Assurance

Change Management Process Formal Request for Change Analyze Request for feasibility, Impact, timeline

(security) Develop Implementation Strategy Approval of Change Development of Change Implementation & testing of Change Review of Change Effectiveness Report to Management

Testing

Last chance to avoid the disaster Testing is intended to find the problems

Tests should address all normal and unexpected entries and conditions

Do not compromise privacy with test data

Configuration Management

Configuration Management Patch Management Patch Management Process

Patch Management

Potential problem areas:Distribution System Failures Inadequate Testing & ValidationPatch RollbackLoad on the networkStability issues and other regression issues

Database & Data Warehouse Environment

Database Environment

Database Management SystemsDatabases – Developed to manage

Information from many sources in one location Eliminates duplication of information Preserves storage space Prevents inconsistency in data by making changes

in one central location

Database Environment (Cont…)

Major Elements DBMS Should provide

Transaction PersistenceFault Tolerance and RecoverySharing by Multiple UsersSecurity Controls

DBMS Models

Hierarchical DBMSStores Records in a

single TableParent/Child

RelationshipLimited to a single treeDifficult to link

branches

Toyota Honda Suzuki

Citi Civic Accord

4-door 2-door

DBMS Models (Cont…)

Network DBMSRepresents data as network of records and

sets that are related to each other, forming a network of links

Record types – records of the same typeSet types – relationship between record types

Ford Mazda BMW

Regular Mazda 6

Truck ESeries

Regular Mazda 3

4 x 4x 3

Truck Freestar

4 x 4x 5

5 Speed Transmission

Leather Interior

Front & Rear Climate Controls

Relational DBMSMost Frequently used DBMS modelData are structured in tablesColumns represent the variables (attributes)Rows contain the specific instances (records)

of data

Author Table

Author No. Last Name First Name State

123456 Smithson Mary CA

234567 Rogers Mike NY

345678 Tucker Sally CT

456789 Gleason Sarah IL

Tuples/Rows

Attributes/ColumnsPrimary Key

Book Table

Book No. Book Title Book Type Book Price Author No.

B1234 Learning Databases Models Computer 1500

B2345 Data Modeling Techniques 1200 234567

B3456 Designing Databases Computer 1600 123456

B4567 Secrets of Databases Computer 1800 345678

Author Table

Author No. Last Name First Name State

123456 Smithson Mary CA

234567 Rogers Mike NY

345678 Tucker Sally CT

456789 Gleason Sarah IL

Primary Keys Foreign Key

Relational Database Security IssuesEnsuring integrity of input dataPreventing deadlocking

Access Control

OODBMS & ORDBMSOODBMS (Object Oriented Database

Management System)ORDBMS (Object Relational Database

Management System)

Database Interface Language

Open Database Connectivity (ODBC) Java Database Connectivity (JDBC) Extensible Markup Language (XML) Structured Query Language (SQL)

Database Security Issues

Interface Aggregation Unauthorized

Access Improper

Modification of Data

Access Availability Query Attacks Bypass Attacks Interception of

Data Web Security Data Containment

View Based Access Controls

Constrained Views Sensitive data is hidden from unauthorized

users Controls located in the front-end

application (user interface)

Data Warehouse

Consolidated view of enterprise data Data Mart Designed to support decision making

through data mining

Building Data Warehouse

Feed all data into large high security database

Normalize the data Mine the data for correlations to produce

metadata Sanitize and export the metadata to its

intended users

Metadata

Information about data Provides unseen relationships between

Knowledge Discovery in Database (KDD) Methods of Identifying

patterns in data Some KDD methods

use artificial intelligence (AI) techniques Probabilistic Models Statistical Approach

Classification Approach

Deviation & Trend Analysis

Neural Networks Expert System

Approach

Online Transaction Processing (OLTP) Record Transactions as they occur – in

real time Security concerns are concurrency and

atomicity Lock controls

Lock Controls – The ACID Test

Atomicity Consistency Isolation Durability

Web Application Environment

Web Site Incidents

Vandalism Financial Fraud Privileged Access Theft of Transaction Information Theft of Intellectual Property Denial of Service (DoS)

Web Hacks

Majority of hacks at the application level Firewalls provide minimum protection Information Gathering Administrative Interfaces Configuration Management Authentication and Access Control

Web Hacks (Cont…)

Input validation Parameter Manipulation Session Management

Web Application Security Principles

Validate all input and output Fail Secure (closed) Fail Safe Make it simple Defense in depth Only as secure as your weakest link Security by obscurity

Web Application Security Principles (Cont…) Don’t cache secure pages Ensure all encryption meets industry standards Monitor third party code vendors for security

alerts Handle exceptions properly Don’t trust any data from client Don’t trust any data from other servers,

partners or other parts of the application

Review Questions

1. Databases are used to combine the data from many sources into one discrete source which of the following is not a reason to create a database:

a. A database will eliminate the need for data duplication across many systems

b. A database will preserve storage spacec. A database will prevent inconsistencies in the

data by eliminating multiple copies of datad. A database will deter insider inference attacks

2. Database design models have changed over the years which of the following models places the data in tables where the rows represent records and the columns represent attributes?

a. Hierarchical database management systemb. Relational database management systemc. Network database management systemd. Divergent database management system

3. relational database management systems are used to show associations between objects contained in the database. Which of the following best describe foreign key?

a. A foreign key is used to uniquely identify each row in the database

b. A foreign key is used to index a databasec. A foreign key is used to link elements of a tabled. A foreign key is used to join one table to the primery

key of another table

4. In a relational database which of the following is true concerning a primary key?

a. A primary key must contain a common identifier associated with all entries into a table

b. A primary key must contain a non-null value in order to uniquely identify the tuple

c. Primary keys can be identified by their unique number letter format

d. The use of primary keys is only required in network database management systems, and does not apply to RDBMS

5. Anne in the accounting department, and Bill in auditing are both attempting to assess an identical value on the accounts receivable database. Anne assesses the amount normally, but Bill receives an error message indicating that he has “read only” access. One possible reason for the error message is that the database management system (DBMS) has built-in features to prevent which of the following?

a. Static access retrievalb. Automated Queries c. Inference attacksd. Deadlocking

6. Which of the following database attacks describes an attack where the perpetrator uses information gained thru authorized activity to reach conclusion relating to unauthorized data?

a. Unauthorized access attackb. Bypass attackc. SQL attackd. inference

7. Acme Corp. performs a nightly data transfer from all their active databases to a centralized server. The data is then normalized and the central server is queried to gain performance results for all sales locations. This activity describes which of the followings?

a. Data warehouseb. RDBMSc. Data performance analysisd. Metadata

8. A database that uses pre-defined grouping of data that can only be accessed based upon a user authorization level, uses which of the following access control models?

a. Role based access controlb. Mandatory access controlc. View based access controld. Front end delineated access control

9. An artificial intelligence system that gathers information from subject matter experts and attempts to use programmed rules to analyze problems and suggest a recommended course of action is called which of the following?

a. Classification approachb. Probabilistic approachc. Statistical approachd. Expert system approach

10. After being closed for the weekend, on Monday morning Acme Corp. finds that their servers are running slow. The CPU utilizations are showing 100% utilization. Network Traffic is also exceptionally high. On the close of business on Friday, all systems were behaving normal. Closer examination is likely to reveal which of the following infestations?

a. Data Diddlerb. D-DOS Attackc. Virusd. Worm

11. A screen saver that opens an encrypted tunnel to a website under malicious control with the purpose of allowing attackers access to the infected machine is an example of which of the following malware?

a. Logic Bombb. Trojan Horsec. Virtual Private Networkd. Spyware

12. One of the most significant differences between the software development life cycle and the system life cycle is that the software development life cycle does not include which of the following phases?

a. Decommissioning/Disposalb. Startup/requirementsc. Development/constructiond. Operational testing

13. Which of the following is not a software development method?

a. Iterative developmentb. Joint Interactivec. Computer Aided Software Engineeringd. Reuse model

14. One of the major difference between a software compiler and a software interpreter is that:

a. A software compiler will translate lines of code on the fly

b. An interpreter will translate lines of code on the flyc. A software compiler will convert high level

programming language into assembly coded. An interpreter will convert high level programming

language into assembly code

15. The primary key is used to uniquely identify records in a database. By adding additional variables to the primary key, two items with the same identifier can be differentiated. This is often used to prevent inference attack. Which of the following is best described by this scenario?

a. Polymorphismb. Poly-alphabeticc. Polyinstantiationd. Polyvariabolic

16. Common Object Request Broker Architecture (CORBA) is designed to?

a. Control access to called object modulesb. Prevent objects in one class from affecting

objects in another classc. Ensure that the calling objects use inheritance

properties properlyd. Determine access permissions for message-

passing operations

17. Applications can NOT use which of the following methods to detect system attacks?

a. Known Signature Scanningb. Activity Monitoringc. Change Detectiond. Differential Linear Analysis

18. Configuration management ensures that approved changes are implemented as approved. Change management ensures which of the following?

a. Corporate officers aware of all impending changesb. Applicable regulatory compliance is adhered to.c. Changes are submitted, approved and recordedd. Configuration changes are assigned to the most

qualified individuals

19. Periodic vendor bug and vulnerability fixes need to be installed by a patch management system. These systems are limited in scope by which of the following.

a. Network bandwidthb. Version of the operating system under testc. Limits on agent operationd. Source code avilability

20. Accreditation and certification deal with similar security issues. Which of the following statements is true about certification and accreditation?

a. Accreditation is the technical analysis of a system to ensure that specific security requirements are met

b. Certification is technical analysis of a system to ensure that specific security requirements are met

c. Accreditation is the sign of by the IT staff that the system under test meets manufacture’s security specifications

d. Certification is the sign of by the IT staff that the system under test meets manufacture’s security specifications

21. XYZ corp. has created a new application for tracking customer information as well as their product database. Of the following individuals who should be given full access and control over this application?

a. Network administratorb. No onec. Security administratord. Application developer

Application Security

Software

Transcript of Application Security

Data and Application Security for Distributed Application ...candan/papers/chapterfinal.pdf · Data and Application Security for Distributed Application ... Security for Distributed

OWASP Application Security – Building and Breaking ... · Ralph Durkee OWASP Application Security 2015 (c) Creative Commons 3.0 5 Agenda Why Application Security? Application Penetration

Wonderware Application Server Security Troubleshooting ......Wonderware Application Server Security Troubleshooting Essentials Part 1: Galaxy Security - Runtime Errors and Security

MANAGING APPLICATION SECURITY - OWASP · AN APPLICATION SECURITY PROGRAM MANAGING APPLICATION SECURITY PAGE 12 VALIDATE CONTROL . 46% OF APPLICATION-LEVEL RISKS ARE NOT COVERED BY

1 Database Application Security Models Database Application Security Models Dr. Gabriel.

Application Security Pitfalls

Network Security Application Security Security Management ...

Designing SAP Application Security - United States · PDF fileTitle: Designing SAP Application Security Author: Protiviti Subject "SAP, SAP security, SAP application security, SAP

Web Application Security with the Application Security Manager (ASM)

iOS Application Security

Application Security Standard_RequirementsChecklist

Security Build Application Security into the Entire SDLC · 2018-09-06 · Security Brochure Build Application Security into the Entire SDLC The Fortify suite of application security

MANAGING APPLICATION SECURITY...AN APPLICATION SECURITY PROGRAM MANAGING APPLICATION SECURITY PAGE 13 What do you use to track the effectiveness of your application security program?

Application Security Tools

Application security overview

INF3510 Information Security L12: Application Security · INF3510 Information Security L12: Application Security Audun Jøsang University of Oslo Spring 2017 . Outline • Application

Application security

Web Application Security

Database Application Security Models Database Application Security Models 1.

Security Application