Application Security
-
Upload
muhammad-faisal-naqvi-cissp-cisa-ambci-itil-isms-la-n-master -
Category
Software
-
view
109 -
download
1
Transcript of Application Security
© 2007 NetSol Technologies, Inc. All rights reserved
Application Security
by:M. Faisal Naqvi, CISSPSenior Consultant – Information Security
NetSol Technologies Ltd.
© 2007 NetSol Technologies, Inc. All rights reserved
AGENDA
Programming Concepts Threats and Malware Software Protection Audit & Assurance Mechanisms Database Data Warehouse Environment Web Application Environment
Programming Concepts
© 2007 NetSol Technologies, Inc. All rights reserved
Application vs. Operating System
Project Management ControlsComplexity of Systems and ProjectsControls Built into Software
© 2007 NetSol Technologies, Inc. All rights reserved
Generations of Programming Languages Generation I – Machine Language Generation II – Assembly Language Generation III – High-level Language Generation IV – Very high-level Language Generation V – Natural Language
© 2007 NetSol Technologies, Inc. All rights reserved
Programming Languages
COBOL, Fortran C, C-Plus, C++ SmallTalk, Java, Eiffel Visual Programming Languages
Visual Basic, Visual C, Delphi BASIC, Logo, JavaScript
© 2007 NetSol Technologies, Inc. All rights reserved
HTML, XML and ActiveX
HTML XML ActiveX
© 2007 NetSol Technologies, Inc. All rights reserved
Program Utilities
Assembler Compiler Interpreter
© 2007 NetSol Technologies, Inc. All rights reserved
Programming Concepts
System Model Von Neumann Architecture Object-Oriented Programming (OOP)
InheritancePolymorphismPolyinstantiation
© 2007 NetSol Technologies, Inc. All rights reserved
Programming Concepts (Cont…)
Distributed Component Object Model (DCOM) Common Object Request Broker Architecture (CORBA)
Policy Enforcement Code
ORB Security System
1. Client Application sends Message
3. Target Object
2. Policy Implemented here
Threats & Malware
© 2007 NetSol Technologies, Inc. All rights reserved
Threats & Malware
Buffer Overflow Denial of Service Time of Check/Time of Use (TOC/TOU)
© 2007 NetSol Technologies, Inc. All rights reserved
Threats & Malware (Cont…)
Malformed Input AttacksSQL InjectionUnicode Attack
Executable Content/Mobile CodeWeb AppletsDynamic E-mail
© 2007 NetSol Technologies, Inc. All rights reserved
Threats & Malware (Cont…)
Object Reuse Garbage Collection Trap Door
© 2007 NetSol Technologies, Inc. All rights reserved
Threats & Malware (Cont…)
Incomplete Parameter Check and Enforcement
Covert Channels Inadequate Granularity of Controls Social Engineering Multiple Paths to Information
© 2007 NetSol Technologies, Inc. All rights reserved
Threats & Malware (Cont…)
Malicious SoftwareModern malware is network awareCompatibility Platform DominanceMalware Functionality
© 2007 NetSol Technologies, Inc. All rights reserved
Virus
Reproduction – Central Characteristic Generally requires some action by the
userMay or may not carry payloads
© 2007 NetSol Technologies, Inc. All rights reserved
Virus Types
File Infector Boot Sector Infector System Infector Multipartite Macro Virus Script Virus Hoax
© 2007 NetSol Technologies, Inc. All rights reserved
Virus Anti-Detection
Stealth Tunneling Polymorphism Antivirus (anti-malware) Disabling
© 2007 NetSol Technologies, Inc. All rights reserved
Virus Structure
Infection/ReproductionTarget Search InfectionAvoidance
Trigger Payload
© 2007 NetSol Technologies, Inc. All rights reserved
Worm
Reproduces Generally use loopholes in systems
May not involve user Often attacks server software
© 2007 NetSol Technologies, Inc. All rights reserved
Trojan Horse
Purported to be a positive utility Hidden negative payload Social Engineering
© 2007 NetSol Technologies, Inc. All rights reserved
Logic Bomb
Generally Implanted by an Insider Waits for condition or time Triggers negative payload
© 2007 NetSol Technologies, Inc. All rights reserved
Diddlers Backdoors and Rats
Data Diddler Backdoor, Trapdoor RAT (Remote Access Trojan)
© 2007 NetSol Technologies, Inc. All rights reserved
Threats & Malware
D-DOS Zombie Prank Spyware and Adware Phishing BotNets
Software Protection
© 2007 NetSol Technologies, Inc. All rights reserved
System Life Cycle
Project Management-based Methodology Typical Phases of a System Life Cycle
© 2007 NetSol Technologies, Inc. All rights reserved
System Life Cycle (Cont…)
Project Initiation and Planning
Establish User Requirements
Identify Alternatives
Select/Approve Approach
Determine Security
Requirements
Conduct Risk Analysis
Define Security Strategy
Required Security Activities
© 2007 NetSol Technologies, Inc. All rights reserved
System Life Cycle (Cont…) Functional Design Definition
Develop Project
Plan
Identify Functional
Requirements
Set Test
Criteria
Identify Security Areas
Security Tools
Include Security Reqs. in RFP’s
ContractsRequired Security Activities
Define Strategy
Develop Functional Baseline
Establish Security
Requirements
Include Functional Security Reqs.
© 2007 NetSol Technologies, Inc. All rights reserved
System Life Cycle (Cont…) Detailed Design Specifications
Prepare Detailed Designs
Update Testing Goals
and Plans
Develop Formal
Baseline
Establish Security
Specifications
Update Security Test Plans
Document Security Baseline
Required Security Activities
© 2007 NetSol Technologies, Inc. All rights reserved
System Life Cycle (Cont…) Develop & Document
Develop System
Unit Testing & Evaluation
Document System
Develop Security Code
Security Code Evaluation
Document Security Code
Required Security Activities
© 2007 NetSol Technologies, Inc. All rights reserved
System Life Cycle (Cont…) Acceptance, Testing and Transition to Production
Test Validate Implement
Security Components
Security Code
Security Controls
Required Security Activities
Document Certify
Security in Integrated
System
Secure Operations
Accept
Secure System
Security Components
Integrated System
Project Manuals
Security Performance
Acceptance Test
System
© 2007 NetSol Technologies, Inc. All rights reserved
System Life Cycle (Cont…) Decommissioning / Disposal
Critical Data Recovered or DestroyedMedia sanitized or destroyedSoftware removal
© 2007 NetSol Technologies, Inc. All rights reserved
Software Development Methods
Waterfall Spiral Clean-room Structured Programming Development
© 2007 NetSol Technologies, Inc. All rights reserved
Software Development Methods (Cont…) Iterative Development Joint Analysis Development (JAD) Prototyping Modified Prototype Model (MPM) Explanatory Model Rapid Application Development (RAD)
© 2007 NetSol Technologies, Inc. All rights reserved
Software Development Methods
Reuse Model Computer Aided Software Engineering
(CASE) Component Based Development Extreme Programming
© 2007 NetSol Technologies, Inc. All rights reserved
Additional Software Protection Mechanisms Cryptography Access Controls Open Source Social Engineering Awareness Backup and Redundancy Controls Malicious Code Control Documentation and Common Program Controls Testing and Evaluation Mobile Code Controls Data Containment Controls
Audit & Assurance Mechanisms
© 2007 NetSol Technologies, Inc. All rights reserved
Auditing and Assurance Mechanisms Information Integrity Information Auditing Malware Assurance
© 2007 NetSol Technologies, Inc. All rights reserved
Change Management Process Formal Request for Change Analyze Request for feasibility, Impact, timeline
(security) Develop Implementation Strategy Approval of Change Development of Change Implementation & testing of Change Review of Change Effectiveness Report to Management
© 2007 NetSol Technologies, Inc. All rights reserved
Testing
Last chance to avoid the disaster Testing is intended to find the problems
Tests should address all normal and unexpected entries and conditions
Do not compromise privacy with test data
© 2007 NetSol Technologies, Inc. All rights reserved
Configuration Management
Configuration Management Patch Management Patch Management Process
© 2007 NetSol Technologies, Inc. All rights reserved
Patch Management
Potential problem areas:Distribution System Failures Inadequate Testing & ValidationPatch RollbackLoad on the networkStability issues and other regression issues
Database & Data Warehouse Environment
© 2007 NetSol Technologies, Inc. All rights reserved
Database Environment
Database Management SystemsDatabases – Developed to manage
Information from many sources in one location Eliminates duplication of information Preserves storage space Prevents inconsistency in data by making changes
in one central location
© 2007 NetSol Technologies, Inc. All rights reserved
Database Environment (Cont…)
Major Elements DBMS Should provide
Transaction PersistenceFault Tolerance and RecoverySharing by Multiple UsersSecurity Controls
© 2007 NetSol Technologies, Inc. All rights reserved
DBMS Models
Hierarchical DBMSStores Records in a
single TableParent/Child
RelationshipLimited to a single treeDifficult to link
branches
Car
Toyota Honda Suzuki
Citi Civic Accord
4-door 2-door
© 2007 NetSol Technologies, Inc. All rights reserved
DBMS Models (Cont…)
Network DBMSRepresents data as network of records and
sets that are related to each other, forming a network of links
Record types – records of the same typeSet types – relationship between record types
© 2007 NetSol Technologies, Inc. All rights reserved
DBMS Models (Cont…)
Ford Mazda BMW
Regular Mazda 6
Truck ESeries
Regular Mazda 3
4 x 4x 3
Truck Freestar
4 x 4x 5
5 Speed Transmission
Leather Interior
Front & Rear Climate Controls
© 2007 NetSol Technologies, Inc. All rights reserved
DBMS Models (Cont…)
Relational DBMSMost Frequently used DBMS modelData are structured in tablesColumns represent the variables (attributes)Rows contain the specific instances (records)
of data
© 2007 NetSol Technologies, Inc. All rights reserved
DBMS Models (Cont…)
Author Table
Author No. Last Name First Name State
123456 Smithson Mary CA
234567 Rogers Mike NY
345678 Tucker Sally CT
456789 Gleason Sarah IL
Tuples/Rows
Attributes/ColumnsPrimary Key
© 2007 NetSol Technologies, Inc. All rights reserved
DBMS Models (Cont…)
Book Table
Book No. Book Title Book Type Book Price Author No.
B1234 Learning Databases Models Computer 1500
B2345 Data Modeling Techniques 1200 234567
B3456 Designing Databases Computer 1600 123456
B4567 Secrets of Databases Computer 1800 345678
Author Table
Author No. Last Name First Name State
123456 Smithson Mary CA
234567 Rogers Mike NY
345678 Tucker Sally CT
456789 Gleason Sarah IL
Primary Keys Foreign Key
© 2007 NetSol Technologies, Inc. All rights reserved
DBMS Models (Cont…)
Relational Database Security IssuesEnsuring integrity of input dataPreventing deadlocking
Access Control
© 2007 NetSol Technologies, Inc. All rights reserved
DBMS Models (Cont…)
OODBMS & ORDBMSOODBMS (Object Oriented Database
Management System)ORDBMS (Object Relational Database
Management System)
© 2007 NetSol Technologies, Inc. All rights reserved
Database Interface Language
Open Database Connectivity (ODBC) Java Database Connectivity (JDBC) Extensible Markup Language (XML) Structured Query Language (SQL)
© 2007 NetSol Technologies, Inc. All rights reserved
Database Security Issues
Interface Aggregation Unauthorized
Access Improper
Modification of Data
Access Availability Query Attacks Bypass Attacks Interception of
Data Web Security Data Containment
© 2007 NetSol Technologies, Inc. All rights reserved
View Based Access Controls
Constrained Views Sensitive data is hidden from unauthorized
users Controls located in the front-end
application (user interface)
© 2007 NetSol Technologies, Inc. All rights reserved
Data Warehouse
Consolidated view of enterprise data Data Mart Designed to support decision making
through data mining
© 2007 NetSol Technologies, Inc. All rights reserved
Building Data Warehouse
Feed all data into large high security database
Normalize the data Mine the data for correlations to produce
metadata Sanitize and export the metadata to its
intended users
© 2007 NetSol Technologies, Inc. All rights reserved
Metadata
Information about data Provides unseen relationships between
data
© 2007 NetSol Technologies, Inc. All rights reserved
Knowledge Discovery in Database (KDD) Methods of Identifying
patterns in data Some KDD methods
use artificial intelligence (AI) techniques Probabilistic Models Statistical Approach
Classification Approach
Deviation & Trend Analysis
Neural Networks Expert System
Approach
© 2007 NetSol Technologies, Inc. All rights reserved
Online Transaction Processing (OLTP) Record Transactions as they occur – in
real time Security concerns are concurrency and
atomicity Lock controls
© 2007 NetSol Technologies, Inc. All rights reserved
Lock Controls – The ACID Test
Atomicity Consistency Isolation Durability
Web Application Environment
© 2007 NetSol Technologies, Inc. All rights reserved
Web Site Incidents
Vandalism Financial Fraud Privileged Access Theft of Transaction Information Theft of Intellectual Property Denial of Service (DoS)
© 2007 NetSol Technologies, Inc. All rights reserved
Web Hacks
Majority of hacks at the application level Firewalls provide minimum protection Information Gathering Administrative Interfaces Configuration Management Authentication and Access Control
© 2007 NetSol Technologies, Inc. All rights reserved
Web Hacks (Cont…)
Input validation Parameter Manipulation Session Management
© 2007 NetSol Technologies, Inc. All rights reserved
Web Application Security Principles
Validate all input and output Fail Secure (closed) Fail Safe Make it simple Defense in depth Only as secure as your weakest link Security by obscurity
© 2007 NetSol Technologies, Inc. All rights reserved
Web Application Security Principles (Cont…) Don’t cache secure pages Ensure all encryption meets industry standards Monitor third party code vendors for security
alerts Handle exceptions properly Don’t trust any data from client Don’t trust any data from other servers,
partners or other parts of the application
Review Questions
© 2007 NetSol Technologies, Inc. All rights reserved
1. Databases are used to combine the data from many sources into one discrete source which of the following is not a reason to create a database:
a. A database will eliminate the need for data duplication across many systems
b. A database will preserve storage spacec. A database will prevent inconsistencies in the
data by eliminating multiple copies of datad. A database will deter insider inference attacks
© 2007 NetSol Technologies, Inc. All rights reserved
2. Database design models have changed over the years which of the following models places the data in tables where the rows represent records and the columns represent attributes?
a. Hierarchical database management systemb. Relational database management systemc. Network database management systemd. Divergent database management system
© 2007 NetSol Technologies, Inc. All rights reserved
3. relational database management systems are used to show associations between objects contained in the database. Which of the following best describe foreign key?
a. A foreign key is used to uniquely identify each row in the database
b. A foreign key is used to index a databasec. A foreign key is used to link elements of a tabled. A foreign key is used to join one table to the primery
key of another table
© 2007 NetSol Technologies, Inc. All rights reserved
4. In a relational database which of the following is true concerning a primary key?
a. A primary key must contain a common identifier associated with all entries into a table
b. A primary key must contain a non-null value in order to uniquely identify the tuple
c. Primary keys can be identified by their unique number letter format
d. The use of primary keys is only required in network database management systems, and does not apply to RDBMS
© 2007 NetSol Technologies, Inc. All rights reserved
5. Anne in the accounting department, and Bill in auditing are both attempting to assess an identical value on the accounts receivable database. Anne assesses the amount normally, but Bill receives an error message indicating that he has “read only” access. One possible reason for the error message is that the database management system (DBMS) has built-in features to prevent which of the following?
a. Static access retrievalb. Automated Queries c. Inference attacksd. Deadlocking
© 2007 NetSol Technologies, Inc. All rights reserved
6. Which of the following database attacks describes an attack where the perpetrator uses information gained thru authorized activity to reach conclusion relating to unauthorized data?
a. Unauthorized access attackb. Bypass attackc. SQL attackd. inference
© 2007 NetSol Technologies, Inc. All rights reserved
7. Acme Corp. performs a nightly data transfer from all their active databases to a centralized server. The data is then normalized and the central server is queried to gain performance results for all sales locations. This activity describes which of the followings?
a. Data warehouseb. RDBMSc. Data performance analysisd. Metadata
© 2007 NetSol Technologies, Inc. All rights reserved
8. A database that uses pre-defined grouping of data that can only be accessed based upon a user authorization level, uses which of the following access control models?
a. Role based access controlb. Mandatory access controlc. View based access controld. Front end delineated access control
© 2007 NetSol Technologies, Inc. All rights reserved
9. An artificial intelligence system that gathers information from subject matter experts and attempts to use programmed rules to analyze problems and suggest a recommended course of action is called which of the following?
a. Classification approachb. Probabilistic approachc. Statistical approachd. Expert system approach
© 2007 NetSol Technologies, Inc. All rights reserved
10. After being closed for the weekend, on Monday morning Acme Corp. finds that their servers are running slow. The CPU utilizations are showing 100% utilization. Network Traffic is also exceptionally high. On the close of business on Friday, all systems were behaving normal. Closer examination is likely to reveal which of the following infestations?
a. Data Diddlerb. D-DOS Attackc. Virusd. Worm
© 2007 NetSol Technologies, Inc. All rights reserved
11. A screen saver that opens an encrypted tunnel to a website under malicious control with the purpose of allowing attackers access to the infected machine is an example of which of the following malware?
a. Logic Bombb. Trojan Horsec. Virtual Private Networkd. Spyware
© 2007 NetSol Technologies, Inc. All rights reserved
12. One of the most significant differences between the software development life cycle and the system life cycle is that the software development life cycle does not include which of the following phases?
a. Decommissioning/Disposalb. Startup/requirementsc. Development/constructiond. Operational testing
© 2007 NetSol Technologies, Inc. All rights reserved
13. Which of the following is not a software development method?
a. Iterative developmentb. Joint Interactivec. Computer Aided Software Engineeringd. Reuse model
© 2007 NetSol Technologies, Inc. All rights reserved
14. One of the major difference between a software compiler and a software interpreter is that:
a. A software compiler will translate lines of code on the fly
b. An interpreter will translate lines of code on the flyc. A software compiler will convert high level
programming language into assembly coded. An interpreter will convert high level programming
language into assembly code
© 2007 NetSol Technologies, Inc. All rights reserved
15. The primary key is used to uniquely identify records in a database. By adding additional variables to the primary key, two items with the same identifier can be differentiated. This is often used to prevent inference attack. Which of the following is best described by this scenario?
a. Polymorphismb. Poly-alphabeticc. Polyinstantiationd. Polyvariabolic
© 2007 NetSol Technologies, Inc. All rights reserved
16. Common Object Request Broker Architecture (CORBA) is designed to?
a. Control access to called object modulesb. Prevent objects in one class from affecting
objects in another classc. Ensure that the calling objects use inheritance
properties properlyd. Determine access permissions for message-
passing operations
© 2007 NetSol Technologies, Inc. All rights reserved
17. Applications can NOT use which of the following methods to detect system attacks?
a. Known Signature Scanningb. Activity Monitoringc. Change Detectiond. Differential Linear Analysis
© 2007 NetSol Technologies, Inc. All rights reserved
18. Configuration management ensures that approved changes are implemented as approved. Change management ensures which of the following?
a. Corporate officers aware of all impending changesb. Applicable regulatory compliance is adhered to.c. Changes are submitted, approved and recordedd. Configuration changes are assigned to the most
qualified individuals
© 2007 NetSol Technologies, Inc. All rights reserved
19. Periodic vendor bug and vulnerability fixes need to be installed by a patch management system. These systems are limited in scope by which of the following.
a. Network bandwidthb. Version of the operating system under testc. Limits on agent operationd. Source code avilability
© 2007 NetSol Technologies, Inc. All rights reserved
20. Accreditation and certification deal with similar security issues. Which of the following statements is true about certification and accreditation?
a. Accreditation is the technical analysis of a system to ensure that specific security requirements are met
b. Certification is technical analysis of a system to ensure that specific security requirements are met
c. Accreditation is the sign of by the IT staff that the system under test meets manufacture’s security specifications
d. Certification is the sign of by the IT staff that the system under test meets manufacture’s security specifications
© 2007 NetSol Technologies, Inc. All rights reserved
21. XYZ corp. has created a new application for tracking customer information as well as their product database. Of the following individuals who should be given full access and control over this application?
a. Network administratorb. No onec. Security administratord. Application developer