Upload
kevin-booth
View
243
Download
2
Tags:
Embed Size (px)
Citation preview
Application Security
CISSP Guide to Security Essentials
Chapter 3
CISSP Guide to Security Essentials 2
Objectives
• Types of applications
• Application models and technologies
• Application threats and countermeasures
• Security in the software development life cycle
CISSP Guide to Security Essentials 3
Objectives (cont.)
• Application security controls
• Databases and data warehouses
CISSP Guide to Security Essentials 4
Types of Applications
• Agents– Standalone programs that are part of
a larger application– Examples:
• Anti-virus
• Patch management
• Configuration management
CISSP Guide to Security Essentials 5
Types of Applications (cont.)
• Applets– Software programs that run within the
context of another program– Example: media players within browser
CISSP Guide to Security Essentials 6
Types of Applications (cont.)
• Client-server– Separate programs on clients and servers
communicate via networks and work together– Few developed now but many are in use
CISSP Guide to Security Essentials 7
Types of Applications (cont.)
• Distributed– Software components run on several systems– Two-tier, three-tier, multi-tier– Reasons: scalability, performance, geographical
CISSP Guide to Security Essentials 8
Types of Applications (cont.)
• Web– Web browser as client, application server
back-end– Client software nearly universal– Application software centralized
CISSP Guide to Security Essentials 9
Application Models and Technologies
• Control flow languages
• Structured languages
• Object oriented languages
• Knowledge based languages
CISSP Guide to Security Essentials 10
Control Flow Languages
• Linear, sequential
• Use of “if – then – else”
• Branching with “go to”
• Examples:– BASIC, COBOL, Cold Fusion, FORTRAN, Perl,
PHP, Python, VBScript
CISSP Guide to Security Essentials 11
Structured Languages
• Nested, heavy use of subroutines and functions
• Little or no “go to”
• Examples:– C– Pascal
CISSP Guide to Security Essentials 12
Object Oriented Languages
• Utilize concepts of object programming– Classes, objects, instances, and inheritance– Methods, instantiations – Encapsulation, abstraction, polymorphism
• Examples– C++, Java, Ruby, Simula, Smalltalk
CISSP Guide to Security Essentials 13
Knowledge Based Applications
• Neural networks– Modeled after biological reasoning processes– Artificial neurons that store pieces of information– Given cases about situations and outcomes,
can predict future outcomes
CISSP Guide to Security Essentials 14
Knowledge Based Applications (cont.)
• Expert systems– Inference engine and knowledge base
of past situations and outcomes
CISSP Guide to Security Essentials 15
Threats to Applications
• Reasons for attacks– Industrial espionage– Vandalism and disruption– Denial of service– Political / religious
CISSP Guide to Security Essentials 16
Threats to Applications (cont.)
• Buffer overflow attacks– Disrupt a software application by providing
more data to the application than it was designed to handle
CISSP Guide to Security Essentials 17
Threats to Applications (cont.)
• Buffer overflow attacks (cont.)– Types
• Stack buffer overflow
• NOP sled attack
• Heap overflow
• Jump to register attack
In Java
• Instance variables and Objects lie on Heap.
• Local variables and methods lie on the Stack. So if we have a main method which calls the go() method which calls the gone() method then the stack from top to bottom would consist of
CISSP Guide to Security Essentials 18
• gone()
• go()
• main()
CISSP Guide to Security Essentials 19
CISSP Guide to Security Essentials 20
CISSP Guide to Security Essentials 21
Threats to Applications (cont.)
• Examples: Morris worm, ping of death, code red worm
• Buffer overflow attack countermeasures– Use safe languages and libraries– Executable space protection– Stack smashing protection– Application firewalls
CISSP Guide to Security Essentials 22
Threats to Applications (cont.)
• Covert channel– Unintended and hidden channel of communications– Types:
• Covert storage channel: read a storage location and learn about the application or other data
CISSP Guide to Security Essentials 23
Threats to Applications (cont.)
– Covert channel types (cont.)• Timing channel: observe timings in an
application to determine what is happening in the application
• Countermeasures– Careful software analysis, good software
engineering– Newer versions of firewall
CISSP Guide to Security Essentials 24
Threats to Applications (cont.)
• Side channel attack– An attack on a cryptosystem based upon
physical information gained from the system– Examples: timing, power consumption, emanations,
and even sounds
CISSP Guide to Security Essentials 25
Threats to Applications (cont.)
• Countermeasures– Limit release of information through
shielding and other means
CISSP Guide to Security Essentials 26
Threats to Applications (cont.)
• Malicious software– Types: viruses, worms, Trojan horses, rootkits,
bots, spam, pharming, spyware, key loggers– Purpose
• Steal, corrupt, or destroy information
• Remote control
• Denial of service
CISSP Guide to Security Essentials 27
Threats to Applications (cont.)
• Types of malware– Virus: human assisted replication, embed in
programs, files, master boot records– Worm: self replicating, scan for victims,
rapid spread– Trojan horse: claims one function,
but is malware
CISSP Guide to Security Essentials 28
Threats to Applications (cont.)
• Types of malware (cont.) – Rootkit: hide within or beneath the
operating system– Bot: remote control zombie– Spam: unsolicited e-mail
CISSP Guide to Security Essentials 29
Threats to Applications (cont.)
• Types of malware (cont.)– Pharming: attack on DNS to redirect traffic
to decoy application– Spyware: collect information about usage,
forward to central server– Key logger: logs keystrokes and mouse
movements, forwards to central server
CISSP Guide to Security Essentials 30
Threats to Applications (cont.)
• Malware countermeasures– Anti-malware– Patches– Firewalls and application firewalls– Hardened systems
CISSP Guide to Security Essentials 31
Threats to Applications (cont.)
• Malware countermeasures (cont.)– Intrusion detection systems– Decreased privilege levels– Penetration testing
CISSP Guide to Security Essentials 32
Threats to Applications (cont.)
• Input attacks– Buffer overflow– Script injection– Cross site scripting– Cross site request forgery
CISSP Guide to Security Essentials 33
Threats to Applications (cont.)
• Countermeasures– Input field filtering, application firewall,
application vulnerability scanning, software developer training
CISSP Guide to Security Essentials 34
Threats to Applications (cont.)
• Object reuse– Use of a resource belonging to another
process, including:• Memory, databases, file systems, temporary
files, and paging space
CISSP Guide to Security Essentials 35
Threats to Applications (cont.)
• Object reuse countermeasures– Application isolation– Server virtualization– Developer training
CISSP Guide to Security Essentials 36
Threats to Applications (cont.)
• Mobile code– Executable code, active content, downloadable
content– Examples: active website content, downloaded
programs– Some is desired, but some is malicious in nature
CISSP Guide to Security Essentials 37
Threats to Applications (cont.)
• Mobile code countermeasures– Anti-malware, mobile code access controls– Reduced user privileges
CISSP Guide to Security Essentials 38
Threats to Applications (cont.)
• Social engineering– Attack on personnel to gain secrets– People are vulnerable because they want
to help
• Social engineering countermeasures– Security awareness training that includes
accountability
CISSP Guide to Security Essentials 39
Threats to Applications (cont.)
• Time of check / time of use (TOCTOU)– Also known as a “race condition”– Defect in resource allocation and management
controls– Possible exploitation to cause harm or steal data
CISSP Guide to Security Essentials 40
Threats to Applications (cont.)
• TOCTOU countermeasures– Reviews of resource allocation controls– Improve privacy of communications
CISSP Guide to Security Essentials 41
Threats to Applications (cont.)
• Back door / maintenance hook– Access holes deliberately planted by a developer
• To facilitate easier testing during development
• To facilitate production access
• To facilitate a break-in
CISSP Guide to Security Essentials 42
Threats to Applications (cont.)
• Back door countermeasures– Code reviews– Source code control
CISSP Guide to Security Essentials 43
Threats to Applications (cont.)
• Logic bombs– Deliberate malfunction that causes harm– Time bombs
• Malfunction on a given date and time
– Event bombs• Malfunction on a specific event
CISSP Guide to Security Essentials 44
Threats to Applications (cont.)
• Logic bomb countermeasures– Software source code review, external audits
CISSP Guide to Security Essentials 45
Security in the Software Development Life Cycle (SDLC)
• SDLC– The entire collection of processes used
to design, develop, test, implement, and maintain software
CISSP Guide to Security Essentials 46
Security in the Software Development Life Cycle (cont.)
• Security must be included in each step of the SDLC– Conceptual– Requirements and specifications development– Application design, coding, and testing
CISSP Guide to Security Essentials 47
Security in the Software Development Life Cycle (cont.)
• Security in the conceptual stage– Presence of sensitive information must be identified– Access controls (users, administrators, third parties)– Regulatory conditions– Security dependencies
CISSP Guide to Security Essentials 48
Security in the Software Development Life Cycle (cont.)
• Security application requirements and specifications– Functional requirements– Standards– Security requirements
• Roles, access controls, audit logging, configuration management
CISSP Guide to Security Essentials 49
Security in the Software Development Life Cycle (cont.)
• Requirements and specifications (cont.)– Regulatory requirements– Test plan a byproduct of requirements
CISSP Guide to Security Essentials 50
Security in the Software Development Life Cycle (cont.)
• Security in application design– Adhere to all requirements and specifications– Published design documents– Design reviews
• Reviewed by all stakeholders including security
CISSP Guide to Security Essentials 51
Security in the Software Development Life Cycle (cont.)
• Threat risk modeling– Identify threats and risks prior to development
• Tool: Microsoft Threat Analysis and Risk
– Possible changes to specs, req’s, or design
CISSP Guide to Security Essentials 52
Security in the Software Development Life Cycle (cont.)
• Security in application coding– Develop safe code
• Free of common vulnerabilities – particularly web apps
• Unvalidated input / broken access control
• Broken authontication/ scripting attack
• Buffer overflow / insecure storage
– Use safe libraries that include safe functions for input validation
CISSP Guide to Security Essentials 53
Security in the Software Development Life Cycle (cont.)
• Security in testing– Testing should verify correct coding of
every requirement and specification• Tools: WebInspect, AppScan
CISSP Guide to Security Essentials 54
Security in the Software Development Life Cycle (cont.)
• Protect the SDLC itself– Source code access control
• Protect source code
• Protect development tools / libraries
• Record version changes
– Protection of software development and testing tools• Protect from unauthorized modifications
CISSP Guide to Security Essentials 55
Security in the Software Development Life Cycle (cont.)
• Protect SDLC (cont.)– Protection of software development systems
• Prevent introduction of malware, back doors, logic bombs
CISSP Guide to Security Essentials 56
Application Environment and Security Controls
• Controls that must be present in a developed application– Authentication
• Limiting access to only legitimate, approved users
• Own authentication / enterprise wide LDAP, Active Dir
– Authorization• Limiting access only to approved functions
and data
• Thousands of functions / thousands of users
CISSP Guide to Security Essentials 57
Application Environment and Security Controls (cont.)
• Controls (cont.)– Role-based Access Control
• Based on job description / job code
– Audit logging• Logging of all actions in the application
– Date/time, user, user’s location– Event name– Relevant data
– Audit log protection
CISSP Guide to Security Essentials 58
Database Architectures
• Various databases – SQL Server, Oracle, DB2, Sybase, etc
• Hierarchical databases: tree structure , Internet’s DNS, legacy
• Network databases: complex tree structure, legacy
• Object databases: OO, methods stored with data
CISSP Guide to Security Essentials 59
Database Architectures (cont.)
• Distributed databases: physically distributed, any type
• Relational databases (RDBMS): in widest use today– Structure is defined by schema– Data modular tools are used to create schema– Oracle, SQL Server, DB2, MySQL, etc.
CISSP Guide to Security Essentials 60
Database Transactions
• Records retrieval
• Records update
• Records creation
• Nested or complex transactions executed as a unit– Begin work… <transactions> …end work
CISSP Guide to Security Essentials 61
Database Security Controls
• Access controls– Userids, passwords– Table / row / field level access control– Read-only or read/write
CISSP Guide to Security Essentials 62
Database Security Controls
• Views– Virtual tables that are a subset of individual
tables, or a “join” between tables– Permission given to views just like
“real” tables
CISSP Guide to Security Essentials 63
Summary
• Types of applications: agents, applets, client-server, distributed, web
• Application language types: control flow, structured, object oriented, knowledge based
CISSP Guide to Security Essentials 64
Summary (cont.)
• Reasons for threats to applications: industrial espionage, vandalism and disruption, denial of service, political / religious
CISSP Guide to Security Essentials 65
Summary (cont.)
• Types of threats– buffer overflow, covert channel, side channel,
malware, input attacks, object reuse, mobile code, social engineering, TOCTOU, back door, logic bomb
CISSP Guide to Security Essentials 66
Summary (cont.)
• Software development life cycle (SDLC) steps– Conceptual, requirements / specifications, design,
coding, testing, maintenance– Source code control, configuration management
• Application environment security controls– Authentication, access control, audit logging
CISSP Guide to Security Essentials 67
Summary (cont.)
• Types of databases– Hierarchical, network, distributed, object-oriented,
relational (most common)
• Database security controls: userid, access control, audit logging, views