SlideShare a Scribd company logo

CISSP Domain 08 Software Development Security.pdf

G
gealehegn

The document provides a comprehensive overview of software development security, covering concepts like secure programming practices, software development methodologies, and the software development life cycle (SDLC). It discusses various development models such as waterfall, spiral, and extreme programming, and emphasizes the importance of integrating security into these processes. Additionally, it highlights tools and practices for security assessment, vulnerability management, and software assurance frameworks like the Capability Maturity Model and Software Assurance Maturity Model.

Education
1 of 113
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Most read
19
20
21
22
23
24
25
26
27
28
29
Most read
30
31
32
33
Most read
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
CISSP® is a registered trademark of (ISC)² ® Certified Information Systems Security Professional (CISSP) Certification Training Course
Domain 08: Software Development Security
Learning Objectives By the end of this lesson, you will be able to: Define object-oriented programming and explain the terms associated with it Compare source code analysis tools Explain software security and assurance Discuss the effectiveness of software security Implement web application environment security concepts Discuss different software development methods
Introduction to Software Development Security
Importance of Software Development Security It was noticed that, regardless of the number of bidders, one vendor always managed to get the contract to supply bottles and cans for one of the processing units. Nutri Worldwide Inc. has developed a vendor management system for their vendor management process. One of the key features of the new software is the centralized bidding process for contracts. After a thorough investigation it was found that this vendor managed to access the bidding data. During the programming and testing phase of the development of the software, secure programming practices were not implemented.
Understand and Integrate Security in the Software Development Life Cycle (SDLC)
Systems Development Life Cycle The systems development life cycle is a system development model used throughout the IT industry. 1. Prepare a security Plan 2. Development or Acquisition 3. Implementation 4. Operation or maintenance 5. Disposal Systems Development Life Cycle (SDLC)
Systems Development Life Cycle Security controls should be included in every phase of the systems development life cycle. The security control process includes: 1. Conducting a sensitivity assessment 2. Determining security requirements 3. Creating security specifications 4. Installing or switching on controls 5. Security testing 6. Certification and accreditation 7. Managing change and configuration
Software Development Models The software development methodology is a framework that is used to structure, plan, and control the process of software development. To manage a project efficiently, the manager or development team must choose the software development methodology that will work best for the project at hand. All methodologies have different strengths and weaknesses and exist for different reasons.
Software Development Models Waterfall model • The waterfall model is a linear application development model that uses rigid phases. • In 1976, Barry Boehm reinterpreted the waterfall model. • The modified waterfall model allows one to return to a previous phase for verification or validation. Requirements Design Implementation Verification Maintenance
Software Development Models Spiral model • In 1988, Barry Boehm developed the spiral model. • It is a meta-model that incorporates several software development models. • It combines the idea of iterative development with the systematic and controlled aspects of the waterfall model. • It includes risk management within software development. 1. Determine objectives 3. Development and Test 2. Identify and resolve risks 4. Plan the next iteration Review Cumulative cost progress Release
Software Development Models • Rapid-application development (RAD) is a form of rapid prototyping. • Software is developed via the use of prototypes, dummy GUIs, and back-end databases. • The goal is to meet the system’s business need. TRADITIONAL RAD PROTOTYPE CYCLES ANALYSIS HIGH-LEVEL DESIGN DETAILED DESIGN CONSTRUCTION TESTING IMPLEMENTATION ANALYSIS AND QUICK DEMONSTRATE IMPLEMENTATION TESTING REFINE BUILD Rapid-application development
Software Development Models Extreme programming • Extreme programming is a discipline of software development. • It is based on the values of simplicity, communication, and feedback. • It is a structured approach, relying on subprojects. • It is an agile software development method. User Stories Small Releases Acceptance Tests Iteration Release Planning Architectural Spike Spike Test Scenarios Requirements Uncertain Estimates Confident Estimates Release Plan Latest Version Customer Approval Next Iteration New User Story Project Velocity
Software Development Models Other software development models include: Prototyping Modified prototype model Reuse model Exploratory model Computer-aided software engineering (CASE) Component-based development Joint analysis development (JAD) model
DevOps DevOps, derived from the terms development and operations, is a software development method that emphasizes communication, collaboration, and integration between the organization’s software developers and IT staff. Features: • It helps an organization quickly produce software products and services. • It ensures the adoption of Quality Assurance to improve Technology Operations’ performance. Technology Operations DevOps
DevOps Benefits of DevOps • Better communication between developers and operations • Continuous integration and continuous deployment • Increased software quality and security • Rapid improvement based on regular feedback • Faster time to market for software
DevSecOps Operations Security Development Quality Assurance DevSecOps Trade secret • DevSecOps extends the DevOps workflow to include automated security processes and tools. • DevSecOps follows secure by design principle by using automated review of code and automated application of security testing and educating and empowering developers to use secure design patterns.
Trade Secret • Identify vulnerabilities in the early stages of the software development life cycle thereby reducing costs and increasing the deployment speed . • Improve overall security by reducing vulnerabilities, reducing insecure defaults, and increasing code coverage and automation using immutable infrastructure • Reduce the mean time to resolve (MTTR) security incidents by monitoring and using remediation practices DevSecOps Benefits of DevSecOps
DevSecOps • Access control • Patch management • Audit and compliance • Change control • Penetration testing • Dynamic analysis (DAST) • Configuration management • Hardening • Infra-vulnerability scanning • Threat model • Security architecture • Training • Secure code review • Static analysis (SAST) • Third-party component analysis • Log collection • Intrusion detection • Analytics • SIEM • Final security review • Compliance validation
Software Capability Maturity Model (CMM) Levels The Capability Maturity Model (CMM) is based on the premise that the quality of a software product is a direct function of the quality of its associated software development and maintenance processes. The five maturity levels of CMM are: Level 1: Initial Level 2: Repeatable Level 3: Defined Level 4: Managed Level 5: Optimized Focuses on continuous process improvement Processes measured and controlled Processes characterized for the organization, proactive Processes characterized for projects, often reactive Processes unpredictable, poorly controlled and reactive Information source: https://en.wikipedia.org/wiki/Capability_Maturity_Model and https://imgur.com/WERTTou
Software Assurance Maturity Model (SAMM) The Software Assurance Maturity Model (SAMM) is an open framework that provides an effective, measurable way for all types of organizations to analyze and improve their software security posture.
Software Assurance Maturity Model (SAMM) Measurable Defined maturity levels across business practices Actionable Clear pathways for improving maturity levels Versatile Technology, process, and organization agnostic
SDLC: Operation and Maintenance The various activities in the operation and maintenance phase are: • Ensure operations’ continuity • Monitor system performance • Detect vulnerabilities • Manage and avoid problems in the system • Secure recovery of systems • Analyze risk periodically • Follow change management procedures • Verify compliance
Change Management Change management allows companies to manage, monitor, and optimize software changes to ensure that:
Change Management Software change management follows a recognized procedure. Due diligence is carried out to assess the business impact of any software change prior to a decision being taken on if the rollout takes place. The scope is verified for completion and accuracy both before and after the deployment or change takes place.
Change Management The following flow diagram explains the change management process. Identify the need for change Analyze the request Request for change Approve/Reject the change Schedule and implement the change Test the change Perform risk assessment Document the change Report changes to the management
Integrated Product Team (IPT) An integrated product team (IPT) is a multi-disciplinary team that helps facilitate decision-making by: • Working together to build successful programs • Identifying and resolving issues • Making comprehensive and timely recommendations
Integrated Product Team (IPT) The team comprises of members from the organization’s appropriate functional disciplines and is: • Used to review and make decisions in complex programs and projects • A forum for collaboration that involves all stakeholders
Identify and Apply Security Controls in Software Development Ecosystems
Control Type Accuracy Security Consistency Preventive Data checks, custom screens, validity checks, contingency planning, and backups Firewalls, reference monitor, sensitivity labels, traffic padding, encryption, data classification, one-time passwords, separate test, and development environments Data dictionary, programming standards, and DBMS Detective Cyclic redundancy checks, structured walk through, hash totals, and reasonableness checks IDS and audit trails Comparison tools, relationship tests, and reconciliation controls Corrective Backups, control reports, before and after imaging reports, and checkpoint restarts Emergency response and reference monitor Program comments and database controls Application Controls The following are the controls and categories of application controls:
The common types of programming languages are as follows: Programming Languages • Machine language: Machine language is a software program that is executed directly by the CPU. • Assembly language: Assembly language is a low-level computer programming language. • High-level language: In high-level language, programmers write the code using logical words and symbols. Hardware Machine Language Assembly Language High-Level Language FORTAN PASCAL C
Assembly Language Assembly language must be converted into executable machine code by a utility program referred to as an assembler. Image Source: https://www.androidauthority.com/assembly-language-and-machine-code-678230/ An assembly language is a low-level programming language designed for a specific type of processor.
Compiler Vs. Interpreter Basis of Difference Compiler Interpreter Compiling a Program A compiled program is compiled only once. An Interpreted code is compiled each time the program is run. High-Level Instructions It translates high-level instructions directly into machine language. It translates high-level instructions into an intermediate form. Speed Compiled programs run faster. Interpreted programs run slower than compiled programs. Search for Errors It searches for all the errors of a program and lists them. It checks a program statement by statement for errors. Error List Generation It generates the error message only after scanning the whole program. It continues translating the program until the first error is met, in which case it stops. Debugging It is comparatively hard. It is easy. Use It is difficult to use. It is easier to use. Examples C, C++ Python, Ruby
Libraries A software library is a set of precompiled helper functions, objects, or modules that are intended to be reused during software development. Software libraries include the following components: Some of the software library implementation best practices are: • Standard libraries provided by most languages such as Python, C, C++, C#, Java, Ruby etc. • Open-source libraries, which are free to reuse, modify and publish without any permission • Third-party libraries • Custom libraries • Use libraries only from trusted sources that are actively maintained and widely used by several applications • Create and maintain an inventory catalog of all the third-party libraries • Proactively keep libraries and components up to date
Toolsets A software development tool is a program that software developers use to create, debug, maintain, or otherwise support other programs and applications.
Toolsets Tools and toolsets can help improve the developer's productivity. Source code editors Code review tools Compilation and linking tools Memory debuggers Performance analysis tools Unit testing tools GUI interface generators List of tools:
Integrated Development Environment (IDE) Integrated development environments, or IDEs, are software platforms that provide programmers and developers with a comprehensive set of tools for software development in a single product. Benefits of using IDEs • IDEs provide programming capabilities through a text editor or a GUI (Graphical User Interface). • IDEs come with some pre-installed libraries for the specific programming languages. • IDEs support compiling, debugging, version control, platform-specific code suggestions, or code deployment.
Runtime System • A runtime system refers to the collection of hardware and software resources needed for program execution on a computer system. • The low-level services provided by a runtime system include processor interfacing, memory loading, and digital-to-binary conversion among others. • The higher-level services include type checking, code generation, debugging, or code optimization. For example: Java Runtime Environment (JRE) provides the complete framework for executing and managing Java programs.
Continuous Integration Continuous Integration and Continuous Delivery (CI/CD) is a modern software development practice that allows for frequent code change in an incremental, repeatable, and secure manner. Continuous Integration: Application code changes are regularly built, tested, and merged to a shared repository several times a day.
Continuous Delivery and Continuous Deployment Continuous Delivery: Application code changes are automatically bug tested and uploaded to a repository (like Github), ready to be deployed to production by the operations team (manually).
Continuous Delivery and Continuous Deployment Continuous Deployment is the next step after continuous delivery. Application code changes are automatically deployed into production whenever it passes the automated tests.
Continuous Integration, Continuous Delivery, and Continuous Deployment Continuous Deployment Build Unit test Shared repository Acceptance tests Deploy to productions Auto Auto Auto Auto Continuous Delivery Build Unit test Shared repository Acceptance tests Deploy to productions Auto Auto Auto Continuous Integration Build Unit test Shared repository Acceptance tests Auto Auto Auto Manual
Security Orchestration, Automation, and Response (SOAR) Security Orchestration, Automation, and Response (SOAR) refers to software solutions and tools that aggregate inputs from a variety of sources and build automated response to low-level known security events. Capabilities of SOAR technologies include: • Threat and vulnerability management • Security incident response • Security operations’ automation
Discussion
Discussion Why is it important to prevent developers of code from being able to move their compiled programs into production?
Software Configuration Management (SCM) Software configuration management (SCM) refers to the process to systematically manage, organize, and control the changes in the documents, codes, and other entities during the SDLC. Information source: https://www.energy.gov/sites/default/files/cioprod/documents/scmguide.pdf
Software Configuration Management (SCM) Processes • Identification is the process of identifying all the components of a project. • Version control combines procedures and tools to handle different versions of configuration objects that are generated during the software process. • Change control is the process where the proposed changes to the project are reviewed and incorporated into the software configuration if approved. • Configuration audit is the process to confirm that the approved changes have been implemented. • Reporting provides accurate data on the current status and configuration. SCM Process Configuration audit Information source: https://www.energy.gov/sites/default/files/cioprod/documents/scmguide.pdf
Code Repositories Code repository is a file archive and Web hosting facility in which a large number of source codes are stored privately or publicly. Securing a code repository includes physical, system, operational, software, and communication security, file systems and backups, and access control. For example, a source code repository is used by open-source projects and other multi-developer projects to handle various versions.
Source Code Analysis Tools Static application security test (SAST) • White-box security test • Requires source code • Finds vulnerabilities in the earlier stages of an SDLC • Less expensive to fix vulnerabilities • Can’t discover runtime- and environment-related issues • Supports all software Dynamic application security test (DAST) • Black-box security test • Requires a running application • Finds vulnerabilities towards the later stages of an SDLC • More expensive to fix vulnerabilities • Can discover runtime- and environment-related issues • Predominantly deals with Web apps
SAST vs. DAST Total potential security issues DAST SAST SAST only • Hard-coded secrets • Code quality issues • Issues in dead or unused code • Insecure crypto functions • Complex injection issues DAST only • Environment configuration issues • Patch-level issues • Runtime privilege issues • Authentication issues • Session management issues DAST and SAST • SQL injection • Cross-site scripting • Buffer overflows • Path traversal • Format string issues
Source Code Analysis Tools Interactive application security testing (IAST) • Combines the advantages of SAST and DAST • Agents and sensors within an application analyze all interactions to identify vulnerabilities in real time • Accurately identifies the source of vulnerability • Performed during the early stages of the SDLC • Integrates easily into CI/CD pipelines Runtime application security protection (RASP) • Incorporates security into a running application on a server • Detects and blocks cyber attacks on an application in real time without human intervention • May have an adverse effect on application performance • May create a sense of false security within a development team
Database and Data Warehousing Environments A database is a structured collection of related data that allows queries, insertions, deletions, and many other functions. The database model should provide the following: • Persistence • Data sharing • Recovery or fault tolerance • Database language • Security and integrity Database concepts:
Database Terms The common database terms are as follows: Record File Database Database management system (DBMS) Attribute or column Tuple or row Primary key View Foreign key Cell Schema or structure Data dictionary
DBMS Controls The basic DBMS controls are: • Lock controls • ACID: Atomicity, consistency, isolation, and durability • Discretionary access control (DAC) • Mandatory access control (MAC) • View-based access controls • Grant and revoke access controls • Metadata controls • Data contamination controls • Online transaction processing (OLTP) control
Deadlocking Query attacks Unauthorized access Polyinstantiation Inference Data contamination Interception of data Web security Database: Threats and Vulnerabilities The common database threats and vulnerabilities are: Bypass attacks Concurrency Improper modification of data Time of check or time of use (TOC or TOU) Aggregation Views Denial of service Server access
Introduction to Data Warehousing It is designed for query and analysis and contains historical data derived from transaction data. A data warehouse is a database designed to enable business intelligence activities. To enhance business intelligence, it works with data collected from multiple sources.
Data Warehousing Concepts 1 2 3 4 5 6 7 8 Data warehouse Data normalization Data mining Data dictionary Metadata Online analytical processing (OLAP) Data scrubbing Database integrity: • Referential integrity • Semantic integrity • Entity integrity
Assess the Effectiveness of Software Security
Secure Software Development: Best Practices The best practices for secure software development are provided by: Open Web Application Security Project (OWASP) Web Application Security Consortium (WASC) ISO/iEC
It is a strict implementation of a reference monitor mechanism. Security kernel is responsible for enforcing a security policy. It is a small portion of the operating system through which all references to information and all changes to authorization must pass. Software Security and Assurance
Software Security and Assurance Three basic conditions of kernel: Completeness Isolation Verifiability
Software Security and Assurance Processor privilege states • The processor privilege states protect the processor and the activities that it performs. • It records the processor state in a register that can only be altered when the processor is operating in a privileged state. • The hardware typically controls entry into the privilege mode. • The privilege-level mechanism should prevent memory access. Bounds checking • Bounds checking is any method of detecting whether a variable is within some bounds. • It prevents buffer overflows on input.
Software Security and Assurance: Parameter Checking Parameter checking is implemented by the programmer. It involves checking the input data for disallowed characters, length, data type, and format. Other technologies to protect against buffer overflows include canaries.
Software Security and Assurance: Memory Protection • To ensure processes cannot interfere with each other’s local memory • To ensure common memory areas are protected against unauthorized access Memory protection can be ensured by partitioning memory: Memory Protection is necessary to protect the memory used by one process from unauthorized access by another.
Software Security and Assurance: Granularity of Controls Granularity of controls ensures that the security controls are granular enough to address both program and user. Inadequate granularity of controls can be addressed by: • Proper implementation of the concept of least privilege • Setting reasonable limits on the user • Separation of duties and functions • Ensuring programmers are not the system administrators or users of the application • Granting users only those permissions necessary to do their job
Software Security and Assurance: Separation of Environments Separation of environments is essential to control how each environment can access the application and the data. Control measures to protect the various environments include: • Physical isolation of environment • Physical or temporal separation of data for each environment • Access control lists • Content dependent access controls • Role-based constraints • Role definition stability • Accountability • Separation of duties
Business senario Business Scenario Kevin read the policy which Hilda Jacobs, General Manager: IT Security, Nutri Worldwide Inc., had created for improving the software development process. Per the policy, programmers will write, compile, and carry out initial testing of the application’s functionality and implementation in the development environment. • When the application is ready for production, the users and quality assurance team will carry out functional testing within the testing and quality assurance environment. When the application is accepted by the user community, it is moved into production environment. Question: Which software security mechanism is the policy based on?
Business senario Business Scenario Kevin read the policy which Hilda Jacobs, General Manager: IT Security, Nutri Worldwide Inc., had created for improving the software development process. Per the policy, programmers will write, compile, and carry out initial testing of the application’s functionality and implementation in the development environment. • When the application is ready for production, the users and quality assurance team will carry out functional testing within the testing and quality assurance environment. When the application is accepted by the user community, it is moved into production environment. Question: Which software security mechanism is the policy based on? Answer: : Separation of environments into development, quality assurance, and one of the production, application, or production environments.
• The common Time of Check or Time of Use (TOC or TOU) hazards are file-based race conditions • To avoid TOC or TOU problems: o Programmer should avoid any file system call that takes a filename for an input o Files that are to be used should be kept in their own directory o Directory must only be accessible by the universal ID (UID) of the program performing the file operation Software Security and Assurance: TOC or TOU Prevention of Time of Check or Time of Use (TOC or TOU)
Software Security and Assurance: Prevention of Social Engineering • Social engineering is a way where the attackers try to use social influence over users to extract confidential information. • To protection against social engineering attacks: o Provide users and help desk staff a proper framework to work o Make users aware of the threat o Give users the proper procedures for handling unusual requests for information
Backing up operating system and application software is a method of ensuring productivity in the event of a system crash. Information is available in the event of an emergency through data, programs, documentation, computing, and communications equipment redundancy. Software Security and Assurance: Backup
Maintaining the source code Contingency planning documents Software Security and Assurance: Backup Disk mirroring Disk mirroring Redundant array of independent disks (RAID) Backup control functions include:
Software Security and Assurance: Software Forensics • Software forensics is the study of malicious software and protection against malicious code. • It can be used: o To determine whether a problem is a result of carelessness or was deliberately introduced as a payload o To obtain information about authorship and the culture behind a given programmer o To obtain the sequence in which related programs were written o To provide evidence about a suspected author of a program o To determine intellectual property issues o To recover source code that has been lost
Software Security and Assurance: Cryptography Cryptographic techniques protect information by transforming the data through encryption schemes. They are used to protect the confidentiality and integrity of information. Encryption algorithms can be used to encrypt specific files located within the operating system.
Software Security and Assurance: Password Protection • Operating system and application software use passwords as a convenient mechanism to authenticate users. • Password protections include controls on: o How the password is selected o How complex the password is o Password time limits o Password length • The most common solution is to encrypt password files using one-way encryption algorithms or hashing. • Another feature for password security involves an overstrike or password masking feature.
Software Security and Assurance: Mobile Code Controls Mobile code controls protect the user from viewing web pages which have programs attached to them The system should garbage collect memory to prevent both malicious and accidental memory leakage. Secured systems should limit mobile code or applets access to system resources.
Software Security and Assurance: Sandbox Sandbox is one of the control mechanisms for mobile code. Limits are placed on the amount of memory and processor resources the program can consume. It provides a protective area for program execution. A sandbox can be created on the client side to protect the resource usage from applets.
Software Security and Assurance: Strong language support Strong language support is a method of providing safe execution of programs such as Java. It ensures that arrays stay in bounds, the pointers are always valid, and code cannot violate variable typing. Java does an internal check called static type checking.
Software Security: XML and Security Assertion Markup Language Following are the languages used to provide software security: XML • XML stands for Extensible Markup Language. • It is a world wide web consortium standard for structuring data in a text file. • XML is called extensible because the symbols are unlimited and can be defined by the user or author. SAML • SAML stands for Security Assertion Markup Language. • It is a format that uses XML to describe security information. • An important requirement for this is the web browser single sign-on (SSO). • An example is using cookies.
Audit and Assurance Mechanisms The following are the audit and assurance mechanisms: Configuration management Information accuracy Information integrity Information auditing Certification Information protection management Change management Accreditation
Methods to Assess the Effectiveness of Software Security • It involves certification and accreditation or authorization of systems that process, store, or transmit information. • It ensures a control framework is selected and uniformly implemented across the organization with the help of standards. System Authorization Auditing and Logging Risk Analysis and Mitigation Testing and Verification
Methods to Assess the Effectiveness of Software Security • Most software are released with vulnerabilities; auditing and logging help identify security issues. • Organizations must address these issues by applying procedures to maintain and check information integrity, accuracy. System Authorization Auditing and Logging Risk Analysis and Mitigation Testing and Verification
Methods to Assess the Effectiveness of Software Security Risk analysis and mitigation must be integrated in the SDLC as an ongoing activity, and in change management. It involves: • Using standardized methods outlined in frameworks such as ISO and NIST to assess risk and report to stakeholders • Tracking and managing vulnerabilities • Taking corrective actions for mitigation by reviewing and prioritizing the findings System Authorization Auditing and Logging Risk Analysis and Mitigation Testing and Verification
Methods to Assess the Effectiveness of Software Security All mitigations applied should be thoroughly tested and verified by independent security assessors to ensure that the security flaw has been mitigated. System Authorization Auditing and Logging Risk Analysis and Mitigation Testing and Verification
Certification • Technical review that assesses the security mechanism and evaluates their effectiveness • The process may use safeguard evaluation, risk analysis, verification, testing, and auditing techniques • The goal is to ensure the system is right for the customer’s purpose • Certification is often an internal verification and is only trusted within the organization Certification and accreditation (C and A) is the process used to evaluate and approve a system for use. C and A is a two-step process that includes:
Accreditation • Accreditation is the formal declaration by the designated approving authority (DAA) that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. • Once the accreditation is performed, management can formally accept the adequacy of the overall security performance of an evaluated system. Certification and accreditation (C and A) is the process used to evaluate and approve a system for use. C and A is a two-step process that includes:
Assess Security Impact of Acquired Software
Assessing the Security Impact of Acquired Software 88 The security of the acquired software can be assessed by: • Using security tools to test the software for vulnerabilities • Verifying whether the software development firm followed secure processes • Checking developer conformance to international standards such as ISO 27034 Acquired software can introduce new vulnerabilities into the system and may have an impact on the organization’s risk posture.
Commercial-Off-The-Shelf (COTS) Commercial-off-the-shelf (COTS) refers to hardware or software products that are ready-made and available for purchase in the commercial market.
Commercial-Off-The-Shelf (COTS) • COTS usually offer paid or free customer support. • COTS vendor regularly releases software and firmware patches to address vulnerabilities. • Security vulnerabilities in COTS can introduce significant risk. • Unavailability of source code limits testing and monitoring COTS. • COTS helps companies validate if security testing has been performed with international standards such as Common Criteria and FIPS. • COTS has the ability to perform black box and fuzzy testing.
Free and Open-Source Software Free and Open-Source Software (FOSS) is licensed to be free to use, modify, and distribute. This allows other developers the opportunity to contribute to the development and improvement of a software like a community.
Free and Open-Source Software Free software doesn't mean the software is free of cost. While FOSS is often available free of charge, its main difference with proprietary software is that it is free, as in freedom. The freedom to run the program as you wish, for any purpose The freedom to redistribute copies so you can help others The freedom to study how the program works and change it so it does your computing as you wish The freedom to improve the program and release your modified versions to others
Open-Source Advocates of open-source software believe that if more users view the source code, they will eventually find all bugs and suggest how to fix them. Linus's Law states that given enough eyeballs, all bugs are shallow. On the other hand, advocates of proprietary systems note that open-source software may allow hackers to find security vulnerabilities more easily than closed-source software. Because the code of proprietary software is hidden, it must be more secure.
Open-Source Security through obscurity isn’t enough to protect your system. Many eyes on the code doesn’t guarantee timely review or patch updates. Both proprietary and open-source software have security vulnerabilities.
Third-Party Develop new software for organization’s business needs Customize or tailor an existing commercial software Many organizations outsource software development projects to third party suppliers, who will: Information source: https://www.veracode.com/sites/default/files/pdf/resources/guides/best-practices-third-party-software-security-veracode-guide.pdf and https://apps.dtic.mil/dtic/tr/fulltext/u2/a495389.pdf
Third-Party Risks • Intellectual property rights dispute • Inadequate software specification resulting in increased scope and costs • Contract dispute which could adversely affect supplier delivery • Poor security practices resulting in software vulnerabilities • Lack of ongoing support Best practices • Develop a third-party security policy • Take a risk-based approach to application security (threat modeling) • Verify policies and security practices followed by the vendor • Establish security metrics and SLA • Conduct independent application security testing
Define and Apply Secure Coding Guidelines and Standards
Security of Application Programming Interfaces (APIs) Application Programming Interface (API) is an interface that enables transfer of data between two or more applications. Simple Object Access Protocol (SOAP): A protocol and standard for exchanging information between web services in a structured format Representational State Transfer (REST): A software architecture style consisting of guidelines and best practices for creating scalable web services
Security of Application Programming Interfaces (APIs): Best Practices Set API limit and throttling Use API keys or basic access authentication (user or password) Use API Gateway Adopt zero trust philosophy Encrypt data Monitor and log all traffic Perform input validation and sanitization
API Formats Simple Object Access Protocol (SOAP) • XML based message protocol • Uses SOAP envelope and then HTTP (FTP/SMTP) to transfer the data • Only supports XML format • Slower performance, scalability can be complex and caching is not possible • Used where REST is not possible, provides WS-* features Representational State Transfer (REST) • An architectural style protocol • Uses only simple hypertext transfer protocol (HTTP) • Supports many different data formats like JavaScript Object Notation (JSON), eXtensible Markup Language (XML), and Yet Another Multicolumn Layout (YAML) • Performance and scalability are good and uses caching • Widely used
OWASP Secure Coding Practices Access Control Input Validation Output Encoding Authentication and Password Management Session Management Memory Management Cryptographic Practices General Coding Practices Data Protection Communication Security Database Security File Management System Configuration Information source: https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf
Software-Defined Security Software-defined security (SDS) is a type of security model in which the information security in a computing environment is implemented, controlled, and managed by a security software. Networking Real-Time Services Storage Security Artificial Intelligence Automation Data Center Cloud Services Virtualization Software Defined Everything (SDx/SDE): Information sourcehttps://www.gartner.com/smarterwithgartner/securing-the-next-generation-data-center-with-software-defined-security/
Software-Defined Security: Benefits Enables security to protect workload and information regardless of location Enables automated provisioning and orchestration of security controls via policy Removes human errors via higher levels of automation Enables security to protect dynamic cloud-based workloads Helps limit the scope of data security breaches through segmentation
The following are the common types of threats and vulnerabilities of Web Application Environments: Web Application Environment: Threats and Vulnerabilities Authentication and access control Information gathering Absence of parameter validation Lack of administrative interfaces Unavailability of input validation Replay attack Denial of Service or DoS
Web Application Environment Security: Specific Protection Specific protections for Web applications are: • A particular assurance sign-off process for web servers • Hardening the operating system used on such servers by: o Removing default configurations and accounts o Configuring permissions and privileges correctly and o Keeping up to date with vendor patches. • Extending Web and network vulnerability scans prior to deployment
Web Application Environment Security: Specific Protection • Passively assessing o Intrusion detection system (IDS) and o Advanced intrusion prevention system (IPS) technology • Using application proxy firewalls • Disabling any unnecessary documentation and libraries
Web Application Environment Security: Administrative Interface Protection • Administrative interface protection restricts access to authorized hosts or networks and then use strong (possibly multifactor) user authentication. • They ensure the security of the credentials. • It uses account lockout and extended logging and audit and protect all authentication traffic with encryption.
• Input validation ensures that the proxies can deal with problems of: ○ Buffer overflows ○ Authentication issues ○ Scripting ○ Submission of commands to the underlying platform and encoding issues ○ URL encoding and translation Web Application Environment Security: Input Validation
The sessions or periods of apparent attachment to the server are controlled by other technologies, such as cookies or URL data, which must be both protected and validated. • If using cookies, always encrypt them. • Do not use sequential, calculable, or predictable cookies, session numbers, or URL data for these purposes. • Use random and unique indicators. Web Application Environment Security: Sessions Protection
Web Application Environment Security: Web Applications Protection To make sure the web application is secure, the following methods need to be followed: Validate all input and output Fail secure (closed) Make your application or system simple Use secure network design Use defense in depth
Key Takeaways System environments include distributed environment, client-server systems, local environment, distributed data processing (DDP), agents, and applets. The various phases of SDLC are prepare a security plan, development or acquisition, implementation, operation or maintenance, and disposal. Object-oriented programming uses an object metaphor to design and write computer programs.
Key Takeaways A data warehouse is a storage facility comprising data from several databases. The ten best practices introduced by (ISC)2 can help fulfill the mission of building hack-resilient software. A database is a structured collection of related data. The various types are relational model hierarchical model, network model, distributed model, and object- oriented model.
This concludes Software Development Security. Thank you CISSP® is a registered trademark of (ISC)² ®

More Related Content

What's hot (20)

PDF
Security: The Value of SBOMs
Weaveworks
 
PPTX
Security Information and Event Management (SIEM)
hardik soni
 
PDF
SentinelOne - NOAH19 Tel Aviv
NOAH Advisors
 
PDF
Trend micro deep security
Trend Micro
 
PDF
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
PDF
Complete Endpoint protection
xband
 
PDF
Trend Micro Solutions Overview
John D. Haden
 
PPTX
Understanding cyber resilience
Christophe Foulon, CISSP
 
PDF
Building an Analytics Enables SOC
Splunk
 
PDF
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
PPTX
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
PPTX
Defend Your Data Now with the MITRE ATT&CK Framework
Tripwire
 
PDF
Microsoft 365 Enterprise Security with E5 Overview
David J Rosenthal
 
PDF
IPS (intrusion prevention system)
Netwax Lab
 
PPTX
Cisco Web and Email Security Overview
Cisco Security
 
PDF
SIEM and Threat Hunting
n|u - The Open Security Community
 
PPTX
Introduction to SOC
Boni Yeamin
 
PPTX
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
NetEnrich, Inc.
 
PPTX
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
PPT
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Security: The Value of SBOMs
Weaveworks
 
Security Information and Event Management (SIEM)
hardik soni
 
SentinelOne - NOAH19 Tel Aviv
NOAH Advisors
 
Trend micro deep security
Trend Micro
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
Complete Endpoint protection
xband
 
Trend Micro Solutions Overview
John D. Haden
 
Understanding cyber resilience
Christophe Foulon, CISSP
 
Building an Analytics Enables SOC
Splunk
 
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Defend Your Data Now with the MITRE ATT&CK Framework
Tripwire
 
Microsoft 365 Enterprise Security with E5 Overview
David J Rosenthal
 
IPS (intrusion prevention system)
Netwax Lab
 
Cisco Web and Email Security Overview
Cisco Security
 
SIEM and Threat Hunting
n|u - The Open Security Community
 
Introduction to SOC
Boni Yeamin
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
NetEnrich, Inc.
 
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
SOC presentation- Building a Security Operations Center
Michael Nickle
 

Similar to CISSP Domain 08 Software Development Security.pdf (20)

PPTX
7.2-0-D8-October2021 (Software Development Security).pptx
roongrus
 
PPTX
Lecture 10.pptx
MuhammadRehan856177
 
PPTX
INTRODUCTION TO SOFTWARE DEVELOPMENT.pptx
mordave7722
 
PPTX
INTRODUCTION TO SOFTWARE DEVELOPMENT.pptx
mordave7722
 
PDF
An Ultimate 10 Point DevOps Checklist for your Organization.pdf
Sparity1
 
PDF
Software Development Today Everything You Need To Know.pdf
christiemarie4
 
PPTX
How to add security in dataops and devops
Ulf Mattsson
 
DOCX
Software development life cycle
Afrasiyab Haider
 
PDF
Phil Green - We're migrating to the cloud - Who needs service management
itSMF UK
 
PPT
Sept 2008 Presentation Quality & Project Management
Haroon Abbu
 
PDF
Is an agile SDLC an oxymoron?
Dave Sharrock
 
PDF
Cutting Edge on Development Methodologies in IT
Andrea Tino
 
PDF
Top 5 software development methodologies_ Explained.docx.pdf
JPLoft Solutions
 
PPTX
Project Mangement
MUFIX Community
 
PPTX
Managing Technology Projects
AllianceMSFourOneEig
 
PDF
Microservices Workshop - Craft Conference
Adrian Cockcroft
 
PPTX
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
DOCX
The DevOps promise: IT delivery that’s hot-off-the-catwalk and made-to-last
Peter Shirley-Quirk
 
PDF
Fifteen Years of DevOps -- LISA 2012 keynote
Geoff Halprin
 
PDF
An introduction to DevOps
Andrea Tino
 
7.2-0-D8-October2021 (Software Development Security).pptx
roongrus
 
Lecture 10.pptx
MuhammadRehan856177
 
INTRODUCTION TO SOFTWARE DEVELOPMENT.pptx
mordave7722
 
INTRODUCTION TO SOFTWARE DEVELOPMENT.pptx
mordave7722
 
An Ultimate 10 Point DevOps Checklist for your Organization.pdf
Sparity1
 
Software Development Today Everything You Need To Know.pdf
christiemarie4
 
How to add security in dataops and devops
Ulf Mattsson
 
Software development life cycle
Afrasiyab Haider
 
Phil Green - We're migrating to the cloud - Who needs service management
itSMF UK
 
Sept 2008 Presentation Quality & Project Management
Haroon Abbu
 
Is an agile SDLC an oxymoron?
Dave Sharrock
 
Cutting Edge on Development Methodologies in IT
Andrea Tino
 
Top 5 software development methodologies_ Explained.docx.pdf
JPLoft Solutions
 
Project Mangement
MUFIX Community
 
Managing Technology Projects
AllianceMSFourOneEig
 
Microservices Workshop - Craft Conference
Adrian Cockcroft
 
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
The DevOps promise: IT delivery that’s hot-off-the-catwalk and made-to-last
Peter Shirley-Quirk
 
Fifteen Years of DevOps -- LISA 2012 keynote
Geoff Halprin
 
An introduction to DevOps
Andrea Tino
 
Ad

More from gealehegn (16)

PDF
CISSP Domain 05 Identity and Access Management (IAM).pdf
gealehegn
 
PDF
isc2 CISSP Domain 07 Security Operations.pdf
gealehegn
 
PPTX
CISSP Domain 03 Security Architecture and Engineering.pptx
gealehegn
 
PPTX
CISSP Domain 02 Asset Securitycissp.pptx
gealehegn
 
PPT
MIC_3e_Ch3Add more information to your upload.ppt
gealehegn
 
PPT
How to Create an Effective PowerPoint.ppt
gealehegn
 
PPT
hel29999999999999999999999999999999999999999999.ppt
gealehegn
 
PPT
csce201 - software - sec Basic Security.ppt
gealehegn
 
PPT
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
PPT
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
gealehegn
 
PPT
PCI_Security_Awareness12345678904321.ppt
gealehegn
 
PPT
Taiwan_2wehuikl;lkjjk;ivfazzfffggggh.ppt
gealehegn
 
PPT
pci-comp pci requirements and controls.ppt
gealehegn
 
PPTX
SecurityDevelopmentLifecycle 202512.pptx
gealehegn
 
PPTX
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PDF
PCI DSS Training compliance training for companies
gealehegn
 
CISSP Domain 05 Identity and Access Management (IAM).pdf
gealehegn
 
isc2 CISSP Domain 07 Security Operations.pdf
gealehegn
 
CISSP Domain 03 Security Architecture and Engineering.pptx
gealehegn
 
CISSP Domain 02 Asset Securitycissp.pptx
gealehegn
 
MIC_3e_Ch3Add more information to your upload.ppt
gealehegn
 
How to Create an Effective PowerPoint.ppt
gealehegn
 
hel29999999999999999999999999999999999999999999.ppt
gealehegn
 
csce201 - software - sec Basic Security.ppt
gealehegn
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
gealehegn
 
PCI_Security_Awareness12345678904321.ppt
gealehegn
 
Taiwan_2wehuikl;lkjjk;ivfazzfffggggh.ppt
gealehegn
 
pci-comp pci requirements and controls.ppt
gealehegn
 
SecurityDevelopmentLifecycle 202512.pptx
gealehegn
 
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PCI DSS Training compliance training for companies
gealehegn
 
Ad

Recently uploaded (20)

PPTX
Optimizing Cancer Screening With MCED Technologies: From Science to Practical...
i3 Health
 
PDF
Living Systems Unveiled: Simplified Life Processes for Exam Success
omaiyairshad
 
PPTX
ENGLISH LEARNING ACTIVITY SHE W5Q1.pptxY
CHERIEANNAPRILSULIT1
 
PDF
Comprehensive Guide to Writing Effective Literature Reviews for Academic Publ...
AJAYI SAMUEL
 
PDF
Stepwise procedure (Manually Submitted & Un Attended) Medical Devices Cases
MUHAMMAD SOHAIL
 
PPTX
ANORECTAL MALFORMATIONS: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
PDF
FULL DOCUMENT: Read the full Deloitte and Touche audit report on the National...
Kweku Zurek
 
PPTX
Folding Off Hours in Gantt View in Odoo 18.2
Celine George
 
PDF
water conservation .pdf by Nandni Kumari XI C
Directorate of Education Delhi
 
PPTX
PYLORIC STENOSIS: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
PPTX
Mrs Mhondiwa Introduction to Algebra class
sabinaschimanga
 
PDF
BÀI TẬP BỔ TRỢ THEO LESSON TIẾNG ANH - I-LEARN SMART WORLD 7 - CẢ NĂM - CÓ ĐÁ...
Nguyen Thanh Tu Collection
 
PDF
A guide to responding to Section C essay tasks for the VCE English Language E...
jpinnuck
 
PPTX
PPT on the Development of Education in the Victorian England
Beena E S
 
PPTX
Various Psychological tests: challenges and contemporary trends in psychologi...
santoshmohalik1
 
PPTX
Maternal and Child Tracking system & RCH portal
Ms Usha Vadhel
 
PDF
IMP NAAC REFORMS 2024 - 10 Attributes.pdf
BHARTIWADEKAR
 
PPTX
Views on Education of Indian Thinkers J.Krishnamurthy..pptx
ShrutiMahanta1
 
PPTX
Capitol Doctoral Presentation -July 2025.pptx
CapitolTechU
 
PPTX
LEGAL ASPECTS OF PSYCHIATRUC NURSING.pptx
PoojaSen20
 
Optimizing Cancer Screening With MCED Technologies: From Science to Practical...
i3 Health
 
Living Systems Unveiled: Simplified Life Processes for Exam Success
omaiyairshad
 
ENGLISH LEARNING ACTIVITY SHE W5Q1.pptxY
CHERIEANNAPRILSULIT1
 
Comprehensive Guide to Writing Effective Literature Reviews for Academic Publ...
AJAYI SAMUEL
 
Stepwise procedure (Manually Submitted & Un Attended) Medical Devices Cases
MUHAMMAD SOHAIL
 
ANORECTAL MALFORMATIONS: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
FULL DOCUMENT: Read the full Deloitte and Touche audit report on the National...
Kweku Zurek
 
Folding Off Hours in Gantt View in Odoo 18.2
Celine George
 
water conservation .pdf by Nandni Kumari XI C
Directorate of Education Delhi
 
PYLORIC STENOSIS: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
Mrs Mhondiwa Introduction to Algebra class
sabinaschimanga
 
BÀI TẬP BỔ TRỢ THEO LESSON TIẾNG ANH - I-LEARN SMART WORLD 7 - CẢ NĂM - CÓ ĐÁ...
Nguyen Thanh Tu Collection
 
A guide to responding to Section C essay tasks for the VCE English Language E...
jpinnuck
 
PPT on the Development of Education in the Victorian England
Beena E S
 
Various Psychological tests: challenges and contemporary trends in psychologi...
santoshmohalik1
 
Maternal and Child Tracking system & RCH portal
Ms Usha Vadhel
 
IMP NAAC REFORMS 2024 - 10 Attributes.pdf
BHARTIWADEKAR
 
Views on Education of Indian Thinkers J.Krishnamurthy..pptx
ShrutiMahanta1
 
Capitol Doctoral Presentation -July 2025.pptx
CapitolTechU
 
LEGAL ASPECTS OF PSYCHIATRUC NURSING.pptx
PoojaSen20
 

CISSP Domain 08 Software Development Security.pdf

  • 1. CISSP® is a registered trademark of (ISC)² ® Certified Information Systems Security Professional (CISSP) Certification Training Course
  • 2. Domain 08: Software Development Security
  • 3. Learning Objectives By the end of this lesson, you will be able to: Define object-oriented programming and explain the terms associated with it Compare source code analysis tools Explain software security and assurance Discuss the effectiveness of software security Implement web application environment security concepts Discuss different software development methods
  • 4. Introduction to Software Development Security
  • 5. Importance of Software Development Security It was noticed that, regardless of the number of bidders, one vendor always managed to get the contract to supply bottles and cans for one of the processing units. Nutri Worldwide Inc. has developed a vendor management system for their vendor management process. One of the key features of the new software is the centralized bidding process for contracts. After a thorough investigation it was found that this vendor managed to access the bidding data. During the programming and testing phase of the development of the software, secure programming practices were not implemented.
  • 6. Understand and Integrate Security in the Software Development Life Cycle (SDLC)
  • 7. Systems Development Life Cycle The systems development life cycle is a system development model used throughout the IT industry. 1. Prepare a security Plan 2. Development or Acquisition 3. Implementation 4. Operation or maintenance 5. Disposal Systems Development Life Cycle (SDLC)
  • 8. Systems Development Life Cycle Security controls should be included in every phase of the systems development life cycle. The security control process includes: 1. Conducting a sensitivity assessment 2. Determining security requirements 3. Creating security specifications 4. Installing or switching on controls 5. Security testing 6. Certification and accreditation 7. Managing change and configuration
  • 9. Software Development Models The software development methodology is a framework that is used to structure, plan, and control the process of software development. To manage a project efficiently, the manager or development team must choose the software development methodology that will work best for the project at hand. All methodologies have different strengths and weaknesses and exist for different reasons.
  • 10. Software Development Models Waterfall model • The waterfall model is a linear application development model that uses rigid phases. • In 1976, Barry Boehm reinterpreted the waterfall model. • The modified waterfall model allows one to return to a previous phase for verification or validation. Requirements Design Implementation Verification Maintenance
  • 11. Software Development Models Spiral model • In 1988, Barry Boehm developed the spiral model. • It is a meta-model that incorporates several software development models. • It combines the idea of iterative development with the systematic and controlled aspects of the waterfall model. • It includes risk management within software development. 1. Determine objectives 3. Development and Test 2. Identify and resolve risks 4. Plan the next iteration Review Cumulative cost progress Release
  • 12. Software Development Models • Rapid-application development (RAD) is a form of rapid prototyping. • Software is developed via the use of prototypes, dummy GUIs, and back-end databases. • The goal is to meet the system’s business need. TRADITIONAL RAD PROTOTYPE CYCLES ANALYSIS HIGH-LEVEL DESIGN DETAILED DESIGN CONSTRUCTION TESTING IMPLEMENTATION ANALYSIS AND QUICK DEMONSTRATE IMPLEMENTATION TESTING REFINE BUILD Rapid-application development
  • 13. Software Development Models Extreme programming • Extreme programming is a discipline of software development. • It is based on the values of simplicity, communication, and feedback. • It is a structured approach, relying on subprojects. • It is an agile software development method. User Stories Small Releases Acceptance Tests Iteration Release Planning Architectural Spike Spike Test Scenarios Requirements Uncertain Estimates Confident Estimates Release Plan Latest Version Customer Approval Next Iteration New User Story Project Velocity
  • 14. Software Development Models Other software development models include: Prototyping Modified prototype model Reuse model Exploratory model Computer-aided software engineering (CASE) Component-based development Joint analysis development (JAD) model
  • 15. DevOps DevOps, derived from the terms development and operations, is a software development method that emphasizes communication, collaboration, and integration between the organization’s software developers and IT staff. Features: • It helps an organization quickly produce software products and services. • It ensures the adoption of Quality Assurance to improve Technology Operations’ performance. Technology Operations DevOps
  • 16. DevOps Benefits of DevOps • Better communication between developers and operations • Continuous integration and continuous deployment • Increased software quality and security • Rapid improvement based on regular feedback • Faster time to market for software
  • 17. DevSecOps Operations Security Development Quality Assurance DevSecOps Trade secret • DevSecOps extends the DevOps workflow to include automated security processes and tools. • DevSecOps follows secure by design principle by using automated review of code and automated application of security testing and educating and empowering developers to use secure design patterns.
  • 18. Trade Secret • Identify vulnerabilities in the early stages of the software development life cycle thereby reducing costs and increasing the deployment speed . • Improve overall security by reducing vulnerabilities, reducing insecure defaults, and increasing code coverage and automation using immutable infrastructure • Reduce the mean time to resolve (MTTR) security incidents by monitoring and using remediation practices DevSecOps Benefits of DevSecOps
  • 19. DevSecOps • Access control • Patch management • Audit and compliance • Change control • Penetration testing • Dynamic analysis (DAST) • Configuration management • Hardening • Infra-vulnerability scanning • Threat model • Security architecture • Training • Secure code review • Static analysis (SAST) • Third-party component analysis • Log collection • Intrusion detection • Analytics • SIEM • Final security review • Compliance validation
  • 20. Software Capability Maturity Model (CMM) Levels The Capability Maturity Model (CMM) is based on the premise that the quality of a software product is a direct function of the quality of its associated software development and maintenance processes. The five maturity levels of CMM are: Level 1: Initial Level 2: Repeatable Level 3: Defined Level 4: Managed Level 5: Optimized Focuses on continuous process improvement Processes measured and controlled Processes characterized for the organization, proactive Processes characterized for projects, often reactive Processes unpredictable, poorly controlled and reactive Information source: https://en.wikipedia.org/wiki/Capability_Maturity_Model and https://imgur.com/WERTTou
  • 21. Software Assurance Maturity Model (SAMM) The Software Assurance Maturity Model (SAMM) is an open framework that provides an effective, measurable way for all types of organizations to analyze and improve their software security posture.
  • 22. Software Assurance Maturity Model (SAMM) Measurable Defined maturity levels across business practices Actionable Clear pathways for improving maturity levels Versatile Technology, process, and organization agnostic
  • 23. SDLC: Operation and Maintenance The various activities in the operation and maintenance phase are: • Ensure operations’ continuity • Monitor system performance • Detect vulnerabilities • Manage and avoid problems in the system • Secure recovery of systems • Analyze risk periodically • Follow change management procedures • Verify compliance
  • 24. Change Management Change management allows companies to manage, monitor, and optimize software changes to ensure that:
  • 25. Change Management Software change management follows a recognized procedure. Due diligence is carried out to assess the business impact of any software change prior to a decision being taken on if the rollout takes place. The scope is verified for completion and accuracy both before and after the deployment or change takes place.
  • 26. Change Management The following flow diagram explains the change management process. Identify the need for change Analyze the request Request for change Approve/Reject the change Schedule and implement the change Test the change Perform risk assessment Document the change Report changes to the management
  • 27. Integrated Product Team (IPT) An integrated product team (IPT) is a multi-disciplinary team that helps facilitate decision-making by: • Working together to build successful programs • Identifying and resolving issues • Making comprehensive and timely recommendations
  • 28. Integrated Product Team (IPT) The team comprises of members from the organization’s appropriate functional disciplines and is: • Used to review and make decisions in complex programs and projects • A forum for collaboration that involves all stakeholders
  • 29. Identify and Apply Security Controls in Software Development Ecosystems
  • 30. Control Type Accuracy Security Consistency Preventive Data checks, custom screens, validity checks, contingency planning, and backups Firewalls, reference monitor, sensitivity labels, traffic padding, encryption, data classification, one-time passwords, separate test, and development environments Data dictionary, programming standards, and DBMS Detective Cyclic redundancy checks, structured walk through, hash totals, and reasonableness checks IDS and audit trails Comparison tools, relationship tests, and reconciliation controls Corrective Backups, control reports, before and after imaging reports, and checkpoint restarts Emergency response and reference monitor Program comments and database controls Application Controls The following are the controls and categories of application controls:
  • 31. The common types of programming languages are as follows: Programming Languages • Machine language: Machine language is a software program that is executed directly by the CPU. • Assembly language: Assembly language is a low-level computer programming language. • High-level language: In high-level language, programmers write the code using logical words and symbols. Hardware Machine Language Assembly Language High-Level Language FORTAN PASCAL C
  • 32. Assembly Language Assembly language must be converted into executable machine code by a utility program referred to as an assembler. Image Source: https://www.androidauthority.com/assembly-language-and-machine-code-678230/ An assembly language is a low-level programming language designed for a specific type of processor.
  • 33. Compiler Vs. Interpreter Basis of Difference Compiler Interpreter Compiling a Program A compiled program is compiled only once. An Interpreted code is compiled each time the program is run. High-Level Instructions It translates high-level instructions directly into machine language. It translates high-level instructions into an intermediate form. Speed Compiled programs run faster. Interpreted programs run slower than compiled programs. Search for Errors It searches for all the errors of a program and lists them. It checks a program statement by statement for errors. Error List Generation It generates the error message only after scanning the whole program. It continues translating the program until the first error is met, in which case it stops. Debugging It is comparatively hard. It is easy. Use It is difficult to use. It is easier to use. Examples C, C++ Python, Ruby
  • 34. Libraries A software library is a set of precompiled helper functions, objects, or modules that are intended to be reused during software development. Software libraries include the following components: Some of the software library implementation best practices are: • Standard libraries provided by most languages such as Python, C, C++, C#, Java, Ruby etc. • Open-source libraries, which are free to reuse, modify and publish without any permission • Third-party libraries • Custom libraries • Use libraries only from trusted sources that are actively maintained and widely used by several applications • Create and maintain an inventory catalog of all the third-party libraries • Proactively keep libraries and components up to date
  • 35. Toolsets A software development tool is a program that software developers use to create, debug, maintain, or otherwise support other programs and applications.
  • 36. Toolsets Tools and toolsets can help improve the developer's productivity. Source code editors Code review tools Compilation and linking tools Memory debuggers Performance analysis tools Unit testing tools GUI interface generators List of tools:
  • 37. Integrated Development Environment (IDE) Integrated development environments, or IDEs, are software platforms that provide programmers and developers with a comprehensive set of tools for software development in a single product. Benefits of using IDEs • IDEs provide programming capabilities through a text editor or a GUI (Graphical User Interface). • IDEs come with some pre-installed libraries for the specific programming languages. • IDEs support compiling, debugging, version control, platform-specific code suggestions, or code deployment.
  • 38. Runtime System • A runtime system refers to the collection of hardware and software resources needed for program execution on a computer system. • The low-level services provided by a runtime system include processor interfacing, memory loading, and digital-to-binary conversion among others. • The higher-level services include type checking, code generation, debugging, or code optimization. For example: Java Runtime Environment (JRE) provides the complete framework for executing and managing Java programs.
  • 39. Continuous Integration Continuous Integration and Continuous Delivery (CI/CD) is a modern software development practice that allows for frequent code change in an incremental, repeatable, and secure manner. Continuous Integration: Application code changes are regularly built, tested, and merged to a shared repository several times a day.
  • 40. Continuous Delivery and Continuous Deployment Continuous Delivery: Application code changes are automatically bug tested and uploaded to a repository (like Github), ready to be deployed to production by the operations team (manually).
  • 41. Continuous Delivery and Continuous Deployment Continuous Deployment is the next step after continuous delivery. Application code changes are automatically deployed into production whenever it passes the automated tests.
  • 42. Continuous Integration, Continuous Delivery, and Continuous Deployment Continuous Deployment Build Unit test Shared repository Acceptance tests Deploy to productions Auto Auto Auto Auto Continuous Delivery Build Unit test Shared repository Acceptance tests Deploy to productions Auto Auto Auto Continuous Integration Build Unit test Shared repository Acceptance tests Auto Auto Auto Manual
  • 43. Security Orchestration, Automation, and Response (SOAR) Security Orchestration, Automation, and Response (SOAR) refers to software solutions and tools that aggregate inputs from a variety of sources and build automated response to low-level known security events. Capabilities of SOAR technologies include: • Threat and vulnerability management • Security incident response • Security operations’ automation
  • 45. Discussion Why is it important to prevent developers of code from being able to move their compiled programs into production?
  • 46. Software Configuration Management (SCM) Software configuration management (SCM) refers to the process to systematically manage, organize, and control the changes in the documents, codes, and other entities during the SDLC. Information source: https://www.energy.gov/sites/default/files/cioprod/documents/scmguide.pdf
  • 47. Software Configuration Management (SCM) Processes • Identification is the process of identifying all the components of a project. • Version control combines procedures and tools to handle different versions of configuration objects that are generated during the software process. • Change control is the process where the proposed changes to the project are reviewed and incorporated into the software configuration if approved. • Configuration audit is the process to confirm that the approved changes have been implemented. • Reporting provides accurate data on the current status and configuration. SCM Process Configuration audit Information source: https://www.energy.gov/sites/default/files/cioprod/documents/scmguide.pdf
  • 48. Code Repositories Code repository is a file archive and Web hosting facility in which a large number of source codes are stored privately or publicly. Securing a code repository includes physical, system, operational, software, and communication security, file systems and backups, and access control. For example, a source code repository is used by open-source projects and other multi-developer projects to handle various versions.
  • 49. Source Code Analysis Tools Static application security test (SAST) • White-box security test • Requires source code • Finds vulnerabilities in the earlier stages of an SDLC • Less expensive to fix vulnerabilities • Can’t discover runtime- and environment-related issues • Supports all software Dynamic application security test (DAST) • Black-box security test • Requires a running application • Finds vulnerabilities towards the later stages of an SDLC • More expensive to fix vulnerabilities • Can discover runtime- and environment-related issues • Predominantly deals with Web apps
  • 50. SAST vs. DAST Total potential security issues DAST SAST SAST only • Hard-coded secrets • Code quality issues • Issues in dead or unused code • Insecure crypto functions • Complex injection issues DAST only • Environment configuration issues • Patch-level issues • Runtime privilege issues • Authentication issues • Session management issues DAST and SAST • SQL injection • Cross-site scripting • Buffer overflows • Path traversal • Format string issues
  • 51. Source Code Analysis Tools Interactive application security testing (IAST) • Combines the advantages of SAST and DAST • Agents and sensors within an application analyze all interactions to identify vulnerabilities in real time • Accurately identifies the source of vulnerability • Performed during the early stages of the SDLC • Integrates easily into CI/CD pipelines Runtime application security protection (RASP) • Incorporates security into a running application on a server • Detects and blocks cyber attacks on an application in real time without human intervention • May have an adverse effect on application performance • May create a sense of false security within a development team
  • 52. Database and Data Warehousing Environments A database is a structured collection of related data that allows queries, insertions, deletions, and many other functions. The database model should provide the following: • Persistence • Data sharing • Recovery or fault tolerance • Database language • Security and integrity Database concepts:
  • 53. Database Terms The common database terms are as follows: Record File Database Database management system (DBMS) Attribute or column Tuple or row Primary key View Foreign key Cell Schema or structure Data dictionary
  • 54. DBMS Controls The basic DBMS controls are: • Lock controls • ACID: Atomicity, consistency, isolation, and durability • Discretionary access control (DAC) • Mandatory access control (MAC) • View-based access controls • Grant and revoke access controls • Metadata controls • Data contamination controls • Online transaction processing (OLTP) control
  • 55. Deadlocking Query attacks Unauthorized access Polyinstantiation Inference Data contamination Interception of data Web security Database: Threats and Vulnerabilities The common database threats and vulnerabilities are: Bypass attacks Concurrency Improper modification of data Time of check or time of use (TOC or TOU) Aggregation Views Denial of service Server access
  • 56. Introduction to Data Warehousing It is designed for query and analysis and contains historical data derived from transaction data. A data warehouse is a database designed to enable business intelligence activities. To enhance business intelligence, it works with data collected from multiple sources.
  • 57. Data Warehousing Concepts 1 2 3 4 5 6 7 8 Data warehouse Data normalization Data mining Data dictionary Metadata Online analytical processing (OLAP) Data scrubbing Database integrity: • Referential integrity • Semantic integrity • Entity integrity
  • 58. Assess the Effectiveness of Software Security
  • 59. Secure Software Development: Best Practices The best practices for secure software development are provided by: Open Web Application Security Project (OWASP) Web Application Security Consortium (WASC) ISO/iEC
  • 60. It is a strict implementation of a reference monitor mechanism. Security kernel is responsible for enforcing a security policy. It is a small portion of the operating system through which all references to information and all changes to authorization must pass. Software Security and Assurance
  • 61. Software Security and Assurance Three basic conditions of kernel: Completeness Isolation Verifiability
  • 62. Software Security and Assurance Processor privilege states • The processor privilege states protect the processor and the activities that it performs. • It records the processor state in a register that can only be altered when the processor is operating in a privileged state. • The hardware typically controls entry into the privilege mode. • The privilege-level mechanism should prevent memory access. Bounds checking • Bounds checking is any method of detecting whether a variable is within some bounds. • It prevents buffer overflows on input.
  • 63. Software Security and Assurance: Parameter Checking Parameter checking is implemented by the programmer. It involves checking the input data for disallowed characters, length, data type, and format. Other technologies to protect against buffer overflows include canaries.
  • 64. Software Security and Assurance: Memory Protection • To ensure processes cannot interfere with each other’s local memory • To ensure common memory areas are protected against unauthorized access Memory protection can be ensured by partitioning memory: Memory Protection is necessary to protect the memory used by one process from unauthorized access by another.
  • 65. Software Security and Assurance: Granularity of Controls Granularity of controls ensures that the security controls are granular enough to address both program and user. Inadequate granularity of controls can be addressed by: • Proper implementation of the concept of least privilege • Setting reasonable limits on the user • Separation of duties and functions • Ensuring programmers are not the system administrators or users of the application • Granting users only those permissions necessary to do their job
  • 66. Software Security and Assurance: Separation of Environments Separation of environments is essential to control how each environment can access the application and the data. Control measures to protect the various environments include: • Physical isolation of environment • Physical or temporal separation of data for each environment • Access control lists • Content dependent access controls • Role-based constraints • Role definition stability • Accountability • Separation of duties
  • 67. Business senario Business Scenario Kevin read the policy which Hilda Jacobs, General Manager: IT Security, Nutri Worldwide Inc., had created for improving the software development process. Per the policy, programmers will write, compile, and carry out initial testing of the application’s functionality and implementation in the development environment. • When the application is ready for production, the users and quality assurance team will carry out functional testing within the testing and quality assurance environment. When the application is accepted by the user community, it is moved into production environment. Question: Which software security mechanism is the policy based on?
  • 68. Business senario Business Scenario Kevin read the policy which Hilda Jacobs, General Manager: IT Security, Nutri Worldwide Inc., had created for improving the software development process. Per the policy, programmers will write, compile, and carry out initial testing of the application’s functionality and implementation in the development environment. • When the application is ready for production, the users and quality assurance team will carry out functional testing within the testing and quality assurance environment. When the application is accepted by the user community, it is moved into production environment. Question: Which software security mechanism is the policy based on? Answer: : Separation of environments into development, quality assurance, and one of the production, application, or production environments.
  • 69. • The common Time of Check or Time of Use (TOC or TOU) hazards are file-based race conditions • To avoid TOC or TOU problems: o Programmer should avoid any file system call that takes a filename for an input o Files that are to be used should be kept in their own directory o Directory must only be accessible by the universal ID (UID) of the program performing the file operation Software Security and Assurance: TOC or TOU Prevention of Time of Check or Time of Use (TOC or TOU)
  • 70. Software Security and Assurance: Prevention of Social Engineering • Social engineering is a way where the attackers try to use social influence over users to extract confidential information. • To protection against social engineering attacks: o Provide users and help desk staff a proper framework to work o Make users aware of the threat o Give users the proper procedures for handling unusual requests for information
  • 71. Backing up operating system and application software is a method of ensuring productivity in the event of a system crash. Information is available in the event of an emergency through data, programs, documentation, computing, and communications equipment redundancy. Software Security and Assurance: Backup
  • 72. Maintaining the source code Contingency planning documents Software Security and Assurance: Backup Disk mirroring Disk mirroring Redundant array of independent disks (RAID) Backup control functions include:
  • 73. Software Security and Assurance: Software Forensics • Software forensics is the study of malicious software and protection against malicious code. • It can be used: o To determine whether a problem is a result of carelessness or was deliberately introduced as a payload o To obtain information about authorship and the culture behind a given programmer o To obtain the sequence in which related programs were written o To provide evidence about a suspected author of a program o To determine intellectual property issues o To recover source code that has been lost
  • 74. Software Security and Assurance: Cryptography Cryptographic techniques protect information by transforming the data through encryption schemes. They are used to protect the confidentiality and integrity of information. Encryption algorithms can be used to encrypt specific files located within the operating system.
  • 75. Software Security and Assurance: Password Protection • Operating system and application software use passwords as a convenient mechanism to authenticate users. • Password protections include controls on: o How the password is selected o How complex the password is o Password time limits o Password length • The most common solution is to encrypt password files using one-way encryption algorithms or hashing. • Another feature for password security involves an overstrike or password masking feature.
  • 76. Software Security and Assurance: Mobile Code Controls Mobile code controls protect the user from viewing web pages which have programs attached to them The system should garbage collect memory to prevent both malicious and accidental memory leakage. Secured systems should limit mobile code or applets access to system resources.
  • 77. Software Security and Assurance: Sandbox Sandbox is one of the control mechanisms for mobile code. Limits are placed on the amount of memory and processor resources the program can consume. It provides a protective area for program execution. A sandbox can be created on the client side to protect the resource usage from applets.
  • 78. Software Security and Assurance: Strong language support Strong language support is a method of providing safe execution of programs such as Java. It ensures that arrays stay in bounds, the pointers are always valid, and code cannot violate variable typing. Java does an internal check called static type checking.
  • 79. Software Security: XML and Security Assertion Markup Language Following are the languages used to provide software security: XML • XML stands for Extensible Markup Language. • It is a world wide web consortium standard for structuring data in a text file. • XML is called extensible because the symbols are unlimited and can be defined by the user or author. SAML • SAML stands for Security Assertion Markup Language. • It is a format that uses XML to describe security information. • An important requirement for this is the web browser single sign-on (SSO). • An example is using cookies.
  • 80. Audit and Assurance Mechanisms The following are the audit and assurance mechanisms: Configuration management Information accuracy Information integrity Information auditing Certification Information protection management Change management Accreditation
  • 81. Methods to Assess the Effectiveness of Software Security • It involves certification and accreditation or authorization of systems that process, store, or transmit information. • It ensures a control framework is selected and uniformly implemented across the organization with the help of standards. System Authorization Auditing and Logging Risk Analysis and Mitigation Testing and Verification
  • 82. Methods to Assess the Effectiveness of Software Security • Most software are released with vulnerabilities; auditing and logging help identify security issues. • Organizations must address these issues by applying procedures to maintain and check information integrity, accuracy. System Authorization Auditing and Logging Risk Analysis and Mitigation Testing and Verification
  • 83. Methods to Assess the Effectiveness of Software Security Risk analysis and mitigation must be integrated in the SDLC as an ongoing activity, and in change management. It involves: • Using standardized methods outlined in frameworks such as ISO and NIST to assess risk and report to stakeholders • Tracking and managing vulnerabilities • Taking corrective actions for mitigation by reviewing and prioritizing the findings System Authorization Auditing and Logging Risk Analysis and Mitigation Testing and Verification
  • 84. Methods to Assess the Effectiveness of Software Security All mitigations applied should be thoroughly tested and verified by independent security assessors to ensure that the security flaw has been mitigated. System Authorization Auditing and Logging Risk Analysis and Mitigation Testing and Verification
  • 85. Certification • Technical review that assesses the security mechanism and evaluates their effectiveness • The process may use safeguard evaluation, risk analysis, verification, testing, and auditing techniques • The goal is to ensure the system is right for the customer’s purpose • Certification is often an internal verification and is only trusted within the organization Certification and accreditation (C and A) is the process used to evaluate and approve a system for use. C and A is a two-step process that includes:
  • 86. Accreditation • Accreditation is the formal declaration by the designated approving authority (DAA) that an IT system is approved to operate in a particular security mode using a prescribed set of safeguards at an acceptable level of risk. • Once the accreditation is performed, management can formally accept the adequacy of the overall security performance of an evaluated system. Certification and accreditation (C and A) is the process used to evaluate and approve a system for use. C and A is a two-step process that includes:
  • 87. Assess Security Impact of Acquired Software
  • 88. Assessing the Security Impact of Acquired Software 88 The security of the acquired software can be assessed by: • Using security tools to test the software for vulnerabilities • Verifying whether the software development firm followed secure processes • Checking developer conformance to international standards such as ISO 27034 Acquired software can introduce new vulnerabilities into the system and may have an impact on the organization’s risk posture.
  • 89. Commercial-Off-The-Shelf (COTS) Commercial-off-the-shelf (COTS) refers to hardware or software products that are ready-made and available for purchase in the commercial market.
  • 90. Commercial-Off-The-Shelf (COTS) • COTS usually offer paid or free customer support. • COTS vendor regularly releases software and firmware patches to address vulnerabilities. • Security vulnerabilities in COTS can introduce significant risk. • Unavailability of source code limits testing and monitoring COTS. • COTS helps companies validate if security testing has been performed with international standards such as Common Criteria and FIPS. • COTS has the ability to perform black box and fuzzy testing.
  • 91. Free and Open-Source Software Free and Open-Source Software (FOSS) is licensed to be free to use, modify, and distribute. This allows other developers the opportunity to contribute to the development and improvement of a software like a community.
  • 92. Free and Open-Source Software Free software doesn't mean the software is free of cost. While FOSS is often available free of charge, its main difference with proprietary software is that it is free, as in freedom. The freedom to run the program as you wish, for any purpose The freedom to redistribute copies so you can help others The freedom to study how the program works and change it so it does your computing as you wish The freedom to improve the program and release your modified versions to others
  • 93. Open-Source Advocates of open-source software believe that if more users view the source code, they will eventually find all bugs and suggest how to fix them. Linus's Law states that given enough eyeballs, all bugs are shallow. On the other hand, advocates of proprietary systems note that open-source software may allow hackers to find security vulnerabilities more easily than closed-source software. Because the code of proprietary software is hidden, it must be more secure.
  • 94. Open-Source Security through obscurity isn’t enough to protect your system. Many eyes on the code doesn’t guarantee timely review or patch updates. Both proprietary and open-source software have security vulnerabilities.
  • 95. Third-Party Develop new software for organization’s business needs Customize or tailor an existing commercial software Many organizations outsource software development projects to third party suppliers, who will: Information source: https://www.veracode.com/sites/default/files/pdf/resources/guides/best-practices-third-party-software-security-veracode-guide.pdf and https://apps.dtic.mil/dtic/tr/fulltext/u2/a495389.pdf
  • 96. Third-Party Risks • Intellectual property rights dispute • Inadequate software specification resulting in increased scope and costs • Contract dispute which could adversely affect supplier delivery • Poor security practices resulting in software vulnerabilities • Lack of ongoing support Best practices • Develop a third-party security policy • Take a risk-based approach to application security (threat modeling) • Verify policies and security practices followed by the vendor • Establish security metrics and SLA • Conduct independent application security testing
  • 97. Define and Apply Secure Coding Guidelines and Standards
  • 98. Security of Application Programming Interfaces (APIs) Application Programming Interface (API) is an interface that enables transfer of data between two or more applications. Simple Object Access Protocol (SOAP): A protocol and standard for exchanging information between web services in a structured format Representational State Transfer (REST): A software architecture style consisting of guidelines and best practices for creating scalable web services
  • 99. Security of Application Programming Interfaces (APIs): Best Practices Set API limit and throttling Use API keys or basic access authentication (user or password) Use API Gateway Adopt zero trust philosophy Encrypt data Monitor and log all traffic Perform input validation and sanitization
  • 100. API Formats Simple Object Access Protocol (SOAP) • XML based message protocol • Uses SOAP envelope and then HTTP (FTP/SMTP) to transfer the data • Only supports XML format • Slower performance, scalability can be complex and caching is not possible • Used where REST is not possible, provides WS-* features Representational State Transfer (REST) • An architectural style protocol • Uses only simple hypertext transfer protocol (HTTP) • Supports many different data formats like JavaScript Object Notation (JSON), eXtensible Markup Language (XML), and Yet Another Multicolumn Layout (YAML) • Performance and scalability are good and uses caching • Widely used
  • 101. OWASP Secure Coding Practices Access Control Input Validation Output Encoding Authentication and Password Management Session Management Memory Management Cryptographic Practices General Coding Practices Data Protection Communication Security Database Security File Management System Configuration Information source: https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf
  • 102. Software-Defined Security Software-defined security (SDS) is a type of security model in which the information security in a computing environment is implemented, controlled, and managed by a security software. Networking Real-Time Services Storage Security Artificial Intelligence Automation Data Center Cloud Services Virtualization Software Defined Everything (SDx/SDE): Information sourcehttps://www.gartner.com/smarterwithgartner/securing-the-next-generation-data-center-with-software-defined-security/
  • 103. Software-Defined Security: Benefits Enables security to protect workload and information regardless of location Enables automated provisioning and orchestration of security controls via policy Removes human errors via higher levels of automation Enables security to protect dynamic cloud-based workloads Helps limit the scope of data security breaches through segmentation
  • 104. The following are the common types of threats and vulnerabilities of Web Application Environments: Web Application Environment: Threats and Vulnerabilities Authentication and access control Information gathering Absence of parameter validation Lack of administrative interfaces Unavailability of input validation Replay attack Denial of Service or DoS
  • 105. Web Application Environment Security: Specific Protection Specific protections for Web applications are: • A particular assurance sign-off process for web servers • Hardening the operating system used on such servers by: o Removing default configurations and accounts o Configuring permissions and privileges correctly and o Keeping up to date with vendor patches. • Extending Web and network vulnerability scans prior to deployment
  • 106. Web Application Environment Security: Specific Protection • Passively assessing o Intrusion detection system (IDS) and o Advanced intrusion prevention system (IPS) technology • Using application proxy firewalls • Disabling any unnecessary documentation and libraries
  • 107. Web Application Environment Security: Administrative Interface Protection • Administrative interface protection restricts access to authorized hosts or networks and then use strong (possibly multifactor) user authentication. • They ensure the security of the credentials. • It uses account lockout and extended logging and audit and protect all authentication traffic with encryption.
  • 108. • Input validation ensures that the proxies can deal with problems of: ○ Buffer overflows ○ Authentication issues ○ Scripting ○ Submission of commands to the underlying platform and encoding issues ○ URL encoding and translation Web Application Environment Security: Input Validation
  • 109. The sessions or periods of apparent attachment to the server are controlled by other technologies, such as cookies or URL data, which must be both protected and validated. • If using cookies, always encrypt them. • Do not use sequential, calculable, or predictable cookies, session numbers, or URL data for these purposes. • Use random and unique indicators. Web Application Environment Security: Sessions Protection
  • 110. Web Application Environment Security: Web Applications Protection To make sure the web application is secure, the following methods need to be followed: Validate all input and output Fail secure (closed) Make your application or system simple Use secure network design Use defense in depth
  • 111. Key Takeaways System environments include distributed environment, client-server systems, local environment, distributed data processing (DDP), agents, and applets. The various phases of SDLC are prepare a security plan, development or acquisition, implementation, operation or maintenance, and disposal. Object-oriented programming uses an object metaphor to design and write computer programs.
  • 112. Key Takeaways A data warehouse is a storage facility comprising data from several databases. The ten best practices introduced by (ISC)2 can help fulfill the mission of building hack-resilient software. A database is a structured collection of related data. The various types are relational model hierarchical model, network model, distributed model, and object- oriented model.
  • 113. This concludes Software Development Security. Thank you CISSP® is a registered trademark of (ISC)² ®