Application Security

© 2007 NetSol Technologies, Inc. All rights reserved

Application Security

by:M. Faisal Naqvi, CISSPSenior Consultant – Information Security

NetSol Technologies Ltd.


AGENDA

Programming Concepts Threats and Malware Software Protection Audit & Assurance Mechanisms Database Data Warehouse Environment Web Application Environment

Programming Concepts


Application vs. Operating System

Project Management ControlsComplexity of Systems and ProjectsControls Built into Software


Generations of Programming Languages Generation I – Machine Language Generation II – Assembly Language Generation III – High-level Language Generation IV – Very high-level Language Generation V – Natural Language


Programming Languages

COBOL, Fortran C, C-Plus, C++ SmallTalk, Java, Eiffel Visual Programming Languages

Visual Basic, Visual C, Delphi BASIC, Logo, JavaScript


HTML, XML and ActiveX

HTML XML ActiveX


Program Utilities

Assembler Compiler Interpreter


Programming Concepts

System Model Von Neumann Architecture Object-Oriented Programming (OOP)

InheritancePolymorphismPolyinstantiation


Programming Concepts (Cont…)

Distributed Component Object Model (DCOM) Common Object Request Broker Architecture (CORBA)

Policy Enforcement Code

ORB Security System

1. Client Application sends Message

3. Target Object

2. Policy Implemented here

Threats & Malware


Threats & Malware

Buffer Overflow Denial of Service Time of Check/Time of Use (TOC/TOU)


Threats & Malware (Cont…)

Malformed Input AttacksSQL InjectionUnicode Attack

Executable Content/Mobile CodeWeb AppletsDynamic E-mail



Object Reuse Garbage Collection Trap Door



Incomplete Parameter Check and Enforcement

Covert Channels Inadequate Granularity of Controls Social Engineering Multiple Paths to Information



Malicious SoftwareModern malware is network awareCompatibility Platform DominanceMalware Functionality


Virus

Reproduction – Central Characteristic Generally requires some action by the

userMay or may not carry payloads


Virus Types

File Infector Boot Sector Infector System Infector Multipartite Macro Virus Script Virus Hoax


Virus Anti-Detection

Stealth Tunneling Polymorphism Antivirus (anti-malware) Disabling


Virus Structure

Infection/ReproductionTarget Search InfectionAvoidance

Trigger Payload


Worm

Reproduces Generally use loopholes in systems

May not involve user Often attacks server software


Trojan Horse

Purported to be a positive utility Hidden negative payload Social Engineering


Logic Bomb

Generally Implanted by an Insider Waits for condition or time Triggers negative payload


Diddlers Backdoors and Rats

Data Diddler Backdoor, Trapdoor RAT (Remote Access Trojan)


Threats & Malware

D-DOS Zombie Prank Spyware and Adware Phishing BotNets

Software Protection


System Life Cycle

Project Management-based Methodology Typical Phases of a System Life Cycle


System Life Cycle (Cont…)

Project Initiation and Planning

Establish User Requirements

Identify Alternatives

Select/Approve Approach

Determine Security

Requirements

Conduct Risk Analysis

Define Security Strategy

Required Security Activities


System Life Cycle (Cont…) Functional Design Definition

Develop Project

Plan

Identify Functional

Requirements

Set Test

Criteria

Identify Security Areas

Security Tools

Include Security Reqs. in RFP’s

ContractsRequired Security Activities

Define Strategy

Develop Functional Baseline

Establish Security

Requirements

Include Functional Security Reqs.


System Life Cycle (Cont…) Detailed Design Specifications

Prepare Detailed Designs

Update Testing Goals

and Plans

Develop Formal

Baseline

Establish Security

Specifications

Update Security Test Plans

Document Security Baseline



System Life Cycle (Cont…) Develop & Document

Develop System

Unit Testing & Evaluation

Document System

Develop Security Code

Security Code Evaluation

Document Security Code



System Life Cycle (Cont…) Acceptance, Testing and Transition to Production

Test Validate Implement

Security Components

Security Code

Security Controls


Document Certify

Security in Integrated

System

Secure Operations

Accept

Secure System

Security Components

Integrated System

Project Manuals

Security Performance

Acceptance Test

System


System Life Cycle (Cont…) Decommissioning / Disposal

Critical Data Recovered or DestroyedMedia sanitized or destroyedSoftware removal


Software Development Methods

Waterfall Spiral Clean-room Structured Programming Development


Software Development Methods (Cont…) Iterative Development Joint Analysis Development (JAD) Prototyping Modified Prototype Model (MPM) Explanatory Model Rapid Application Development (RAD)


Software Development Methods

Reuse Model Computer Aided Software Engineering

(CASE) Component Based Development Extreme Programming


Additional Software Protection Mechanisms Cryptography Access Controls Open Source Social Engineering Awareness Backup and Redundancy Controls Malicious Code Control Documentation and Common Program Controls Testing and Evaluation Mobile Code Controls Data Containment Controls

Audit & Assurance Mechanisms


Auditing and Assurance Mechanisms Information Integrity Information Auditing Malware Assurance


Change Management Process Formal Request for Change Analyze Request for feasibility, Impact, timeline

(security) Develop Implementation Strategy Approval of Change Development of Change Implementation & testing of Change Review of Change Effectiveness Report to Management


Testing

Last chance to avoid the disaster Testing is intended to find the problems

Tests should address all normal and unexpected entries and conditions

Do not compromise privacy with test data


Configuration Management

Configuration Management Patch Management Patch Management Process


Patch Management

Potential problem areas:Distribution System Failures Inadequate Testing & ValidationPatch RollbackLoad on the networkStability issues and other regression issues

Database & Data Warehouse Environment


Database Environment

Database Management SystemsDatabases – Developed to manage

Information from many sources in one location Eliminates duplication of information Preserves storage space Prevents inconsistency in data by making changes

in one central location


Database Environment (Cont…)

Major Elements DBMS Should provide

Transaction PersistenceFault Tolerance and RecoverySharing by Multiple UsersSecurity Controls


DBMS Models

Hierarchical DBMSStores Records in a

single TableParent/Child

RelationshipLimited to a single treeDifficult to link

branches

Car

Toyota Honda Suzuki

Citi Civic Accord

4-door 2-door


DBMS Models (Cont…)

Network DBMSRepresents data as network of records and

sets that are related to each other, forming a network of links

Record types – records of the same typeSet types – relationship between record types



Ford Mazda BMW

Regular Mazda 6

Truck ESeries

Regular Mazda 3

4 x 4x 3

Truck Freestar

4 x 4x 5

5 Speed Transmission

Leather Interior

Front & Rear Climate Controls



Relational DBMSMost Frequently used DBMS modelData are structured in tablesColumns represent the variables (attributes)Rows contain the specific instances (records)

of data



Author Table

Author No. Last Name First Name State

123456 Smithson Mary CA

234567 Rogers Mike NY

345678 Tucker Sally CT

456789 Gleason Sarah IL

Tuples/Rows

Attributes/ColumnsPrimary Key



Book Table

Book No. Book Title Book Type Book Price Author No.

B1234 Learning Databases Models Computer 1500

B2345 Data Modeling Techniques 1200 234567

B3456 Designing Databases Computer 1600 123456

B4567 Secrets of Databases Computer 1800 345678

Author Table

Author No. Last Name First Name State

123456 Smithson Mary CA

234567 Rogers Mike NY

345678 Tucker Sally CT

456789 Gleason Sarah IL

Primary Keys Foreign Key



Relational Database Security IssuesEnsuring integrity of input dataPreventing deadlocking

Access Control



OODBMS & ORDBMSOODBMS (Object Oriented Database

Management System)ORDBMS (Object Relational Database

Management System)


Database Interface Language

Open Database Connectivity (ODBC) Java Database Connectivity (JDBC) Extensible Markup Language (XML) Structured Query Language (SQL)


Database Security Issues

Interface Aggregation Unauthorized

Access Improper

Modification of Data

Access Availability Query Attacks Bypass Attacks Interception of

Data Web Security Data Containment


View Based Access Controls

Constrained Views Sensitive data is hidden from unauthorized

users Controls located in the front-end

application (user interface)


Data Warehouse

Consolidated view of enterprise data Data Mart Designed to support decision making

through data mining


Building Data Warehouse

Feed all data into large high security database

Normalize the data Mine the data for correlations to produce

metadata Sanitize and export the metadata to its

intended users


Metadata

Information about data Provides unseen relationships between

data


Knowledge Discovery in Database (KDD) Methods of Identifying

patterns in data Some KDD methods

use artificial intelligence (AI) techniques Probabilistic Models Statistical Approach

Classification Approach

Deviation & Trend Analysis

Neural Networks Expert System

Approach


Online Transaction Processing (OLTP) Record Transactions as they occur – in

real time Security concerns are concurrency and

atomicity Lock controls


Lock Controls – The ACID Test

Atomicity Consistency Isolation Durability

Web Application Environment


Web Site Incidents

Vandalism Financial Fraud Privileged Access Theft of Transaction Information Theft of Intellectual Property Denial of Service (DoS)


Web Hacks

Majority of hacks at the application level Firewalls provide minimum protection Information Gathering Administrative Interfaces Configuration Management Authentication and Access Control


Web Hacks (Cont…)

Input validation Parameter Manipulation Session Management


Web Application Security Principles

Validate all input and output Fail Secure (closed) Fail Safe Make it simple Defense in depth Only as secure as your weakest link Security by obscurity


Web Application Security Principles (Cont…) Don’t cache secure pages Ensure all encryption meets industry standards Monitor third party code vendors for security

alerts Handle exceptions properly Don’t trust any data from client Don’t trust any data from other servers,

partners or other parts of the application

Review Questions


1. Databases are used to combine the data from many sources into one discrete source which of the following is not a reason to create a database:

a. A database will eliminate the need for data duplication across many systems

b. A database will preserve storage spacec. A database will prevent inconsistencies in the

data by eliminating multiple copies of datad. A database will deter insider inference attacks


2. Database design models have changed over the years which of the following models places the data in tables where the rows represent records and the columns represent attributes?

a. Hierarchical database management systemb. Relational database management systemc. Network database management systemd. Divergent database management system


3. relational database management systems are used to show associations between objects contained in the database. Which of the following best describe foreign key?

a. A foreign key is used to uniquely identify each row in the database

b. A foreign key is used to index a databasec. A foreign key is used to link elements of a tabled. A foreign key is used to join one table to the primery

key of another table


4. In a relational database which of the following is true concerning a primary key?

a. A primary key must contain a common identifier associated with all entries into a table

b. A primary key must contain a non-null value in order to uniquely identify the tuple

c. Primary keys can be identified by their unique number letter format

d. The use of primary keys is only required in network database management systems, and does not apply to RDBMS


5. Anne in the accounting department, and Bill in auditing are both attempting to assess an identical value on the accounts receivable database. Anne assesses the amount normally, but Bill receives an error message indicating that he has “read only” access. One possible reason for the error message is that the database management system (DBMS) has built-in features to prevent which of the following?

a. Static access retrievalb. Automated Queries c. Inference attacksd. Deadlocking


6. Which of the following database attacks describes an attack where the perpetrator uses information gained thru authorized activity to reach conclusion relating to unauthorized data?

a. Unauthorized access attackb. Bypass attackc. SQL attackd. inference


7. Acme Corp. performs a nightly data transfer from all their active databases to a centralized server. The data is then normalized and the central server is queried to gain performance results for all sales locations. This activity describes which of the followings?

a. Data warehouseb. RDBMSc. Data performance analysisd. Metadata


8. A database that uses pre-defined grouping of data that can only be accessed based upon a user authorization level, uses which of the following access control models?

a. Role based access controlb. Mandatory access controlc. View based access controld. Front end delineated access control


9. An artificial intelligence system that gathers information from subject matter experts and attempts to use programmed rules to analyze problems and suggest a recommended course of action is called which of the following?

a. Classification approachb. Probabilistic approachc. Statistical approachd. Expert system approach


10. After being closed for the weekend, on Monday morning Acme Corp. finds that their servers are running slow. The CPU utilizations are showing 100% utilization. Network Traffic is also exceptionally high. On the close of business on Friday, all systems were behaving normal. Closer examination is likely to reveal which of the following infestations?

a. Data Diddlerb. D-DOS Attackc. Virusd. Worm


11. A screen saver that opens an encrypted tunnel to a website under malicious control with the purpose of allowing attackers access to the infected machine is an example of which of the following malware?

a. Logic Bombb. Trojan Horsec. Virtual Private Networkd. Spyware


12. One of the most significant differences between the software development life cycle and the system life cycle is that the software development life cycle does not include which of the following phases?

a. Decommissioning/Disposalb. Startup/requirementsc. Development/constructiond. Operational testing


13. Which of the following is not a software development method?

a. Iterative developmentb. Joint Interactivec. Computer Aided Software Engineeringd. Reuse model


14. One of the major difference between a software compiler and a software interpreter is that:

a. A software compiler will translate lines of code on the fly

b. An interpreter will translate lines of code on the flyc. A software compiler will convert high level

programming language into assembly coded. An interpreter will convert high level programming

language into assembly code


15. The primary key is used to uniquely identify records in a database. By adding additional variables to the primary key, two items with the same identifier can be differentiated. This is often used to prevent inference attack. Which of the following is best described by this scenario?

a. Polymorphismb. Poly-alphabeticc. Polyinstantiationd. Polyvariabolic


16. Common Object Request Broker Architecture (CORBA) is designed to?

a. Control access to called object modulesb. Prevent objects in one class from affecting

objects in another classc. Ensure that the calling objects use inheritance

properties properlyd. Determine access permissions for message-

passing operations


17. Applications can NOT use which of the following methods to detect system attacks?

a. Known Signature Scanningb. Activity Monitoringc. Change Detectiond. Differential Linear Analysis


18. Configuration management ensures that approved changes are implemented as approved. Change management ensures which of the following?

a. Corporate officers aware of all impending changesb. Applicable regulatory compliance is adhered to.c. Changes are submitted, approved and recordedd. Configuration changes are assigned to the most

qualified individuals


19. Periodic vendor bug and vulnerability fixes need to be installed by a patch management system. These systems are limited in scope by which of the following.

a. Network bandwidthb. Version of the operating system under testc. Limits on agent operationd. Source code avilability


20. Accreditation and certification deal with similar security issues. Which of the following statements is true about certification and accreditation?

a. Accreditation is the technical analysis of a system to ensure that specific security requirements are met

b. Certification is technical analysis of a system to ensure that specific security requirements are met

c. Accreditation is the sign of by the IT staff that the system under test meets manufacture’s security specifications

d. Certification is the sign of by the IT staff that the system under test meets manufacture’s security specifications


21. XYZ corp. has created a new application for tracking customer information as well as their product database. Of the following individuals who should be given full access and control over this application?

a. Network administratorb. No onec. Security administratord. Application developer

Application Security

Software

Transcript of Application Security