CISSP - Software Development Security Tutorial

1 Domain 08 - Software Development Security

Hello and welcome to Domain 8 of the CISSP certification course offered by Simplilearn. This lesson provides an introduction to Software Development Security. Let us explore the objectives of this lesson in the next screen.

2 Objectives

After completing this domain, you will be able to: Recognize the importance of system environments and programming concepts Discuss Object-Oriented Programming Describe the System Life Cycle and Systems Development Explain Database and Data Warehousing Environments List The Ten Best Practices for Secure Software Development – (ISC)2

3 Importance of Software Development Security

Nutri Worldwide Inc. developed a Vendor Management System for their vendor management process. One of the key features of the new software was the centralized bidding process for contracts. It was noticed that, regardless of the number of bidders, one vendor always managed to get the contract for the supply of bottles and cans for one of the processing units. It was later found out after a thorough investigation that this vendor managed to access the bidding data. During the programming and testing phase of the development of the software, secure programming practices were not implemented. The software underwent a lot of rework and redevelopment before it was released again. Kevin, who is preparing for his CISSP exam, read this internal case study to understand the Importance of Software Development Security.

4 System Environments

System environments can be defined as a combination of different independent components like servers, application networks, and their inter-relationships. System environments can be defined as a combination of different independent components like servers, application networks, and their inter-relationships. The Information systems are becoming more distributed, with a substantial increase in open protocols, interfaces, source code, and sharing of resources. This requires that all resources are to be protected against unauthorized access. Countermeasures and safeguards are provided through software controls, especially operating system mechanisms. Moreover, with the increased use of web based applications working on distributed systems, internet provides a challenge in terms of security due to the complexity of the information flow. A lack of software protection mechanisms can leave the operating system and critical computer resources open to corruption and attack. The various system environments are described here and they are: Distributed Environment; Client—Server Systems; Local Environment; Distributed Data Processing (DDP); Agents; and Applets.

5 Distributed Environment

Distributed Environment is a systems architecture that integrates the management of application software, application platform, technology interface, information, and communications.

6 Client/Server Systems and Local Environment

Client—Server Systems enable an application system to be divided across multiple platforms that have different operating systems and hardware. The client requests services and the server fulfills these requests. The server handles the data-processing services and provides the processed result to the client. The client performs the front-end portion of an application, and the server performs the back-end portion, which is usually more labor intensive. In a Local Environment applications are located in one place and on one system and communication links do not exist.

7 Distributed Data Processing and Agents

Distributed Data Processing or DDP (read as D-D-P) are physically separated computers; they are used to manage data independently and are able to share it with one another. Agents are small standalone programs that are part of a larger application. Agents carry out specific functions, such as remote status collection or remote system management. Agents generally run autonomously and without any human interaction. Some examples of agents include: Anti-virus program on a workstation or server as an agent in an enterprise environment includes a central management console. Patch management is an agent on each server periodically queries the OS on the existence of software patches, and will install patches when commanded to do so.

8 Applets

Applets are small programs residing on a host computer that are downloaded to a client computer to be executed, usually written in Java, Active-X, JavaScript. It is a software program that runs within the context of another program. Java is an object-oriented, distributed, general-purpose programming language, developed by SUN. Java has some of the characteristics of both compiled and interpreted languages. The Microsoft ActiveX environment also supports the downloading of mobile code (ActiveX controls) written in languages such as Visual BASIC or C++ to Web browsers, and thus has the potential for causing harm to a system.

9 Programming Concepts

In this screen, we will discuss programming concepts in detail. Programming language usually refers to high-level languages, like, C, FORTRAN, and Pascal. The common types of programming languages are as follows. Machine language or Machine code is a software program that is executed directly by the CPU. Machine language is CPU-dependent; it is a series of ones and zeroes which translate to instructions that the CPU understands. Assembly language is a low-level computer programming language. The instructions are written in short mnemonics, such as ADD for addition, SUB for subtract, and JMP for jump, that match machine language instructions. An assembler converts assembly language into machine language. A disassembler converts machine language into assembly. In high-level language, programmers write the code using logical words and symbols. The code is then translated into machine code before executed by the CPU. High-level languages contain English-like instructions such as printf for print formatted. Source code is computer programming language instructions written in text that must be translated into machine code before execution by the CPU. We will discuss the differences between a compiler and an interpreter in the next screen.

8.010 Complier Vs Interpreter

Compilers take source code, such as C or Basic, and compile it into machine code. A compiled program is compiled only once. Interpreted languages differ from compiled languages. An Interpreted code (e.g., shell code) is compiled each time the program is run. If an interpreted program is run 100 times, it will be compiled 100 times. An interpreter translates high-level instructions into an intermediate form, which it then executes. In contrast, a compiler translates high-level instructions directly into machine language. Compiled programs generally run faster than interpreted programs. The advantage of an interpreter, however, is that it does not need to go through the compilation stage during which machine instructions are generated. A compiler searches all the errors of a program and lists them together, whereas an interpreter checks the errors of a program statement by statement. In a complier, error correction can be time-consuming. It generates the error message only after scanning the whole program. Hence debugging is comparatively hard while in a translator, error correction is easier compared to compliers. It continues to translate the program until the first error is met, in which case it stops. Hence debugging is easy. Compliers are difficult to use, whereas interpreters are easier to use. Programming language like C, C++ uses compilers and Programming language like Python, Ruby use interpreters. We will look at Programming and Software in detail in the following screen.

11 Programming and Software

Publicly released software may come in different forms after programming. For example, the software may come with or without the accompanying source code. It is released under a variety of licenses. Open-source software publishes source code publicly, allowing anyone to inspect, modify, or compile it. Examples include Ubuntu Linux and the Apache web server. Closed-source software is typically released in executable form: The source code is kept confidential. Examples include Oracle and Microsoft Windows 7. Proprietary software is subject to intellectual property protections such as patents or copyrights. It can be either Open-source or Close-source software. For example, Apple iOS Shareware is a fully functional proprietary software that may be initially used free of charge. If the user continues to use it for a period of time specified by the license (such as 30 days), the Shareware license requires payment. For example, trial version of MSOffice (read as M-S-Office). Crippleware is partially functioning proprietary software, often with key features disabled. The user is required to make a payment to unlock the full functionality. Example includes IBM (read as I-B-M) Appscan. Free software can be either free of charge to use or the user is free to use the software in any way he or she chooses, including modifying it. Freeware is free of charge to use. For example, free mobile apps. In the next screen, we will discuss threats in the software environment.

12 Threats in the Software Environment

A Buffer Overflow attack occurs when someone attempts to disrupt a program’s operation. In a buffer overflow attack, the excess input data overflows the program’s input buffer and overwrites another part of the program’s memory space. Depending upon the hardware and software architecture of the attacked program, this can lead to corruption of other variables in the program which could lead to an unexpected change in the program’s behavior, or the overflow could overwrite instructions in the software. Citizen Programmers are programmers who may create applications with both security and reliability problems. If this type of unsupervised programming is allowed, then a single user may have complete control over an application or process. Visual Basic, included in the Microsoft Office suite, is often used by citizen programmers to develop their applications or extend existing ones. They are also known as casual programmers, who are unlikely to be trained in, or bound by system development practices that involve proper application design, change control, and support for the application. Therefore, applications developed by them are likely to be chaotic and lacks assurance in regard to security. It should be addressed as a matter of policy.

13 Threats in the Software Environment (contd.)

A covert channel or confinement problem is an information flow issue. It is a communication channel that allows two cooperating processes to transfer information in such a way that it violates the system’s security policy. This is primarily a concern in systems containing highly sensitive information. There are two commonly defined types of covert channels: storage and timing. A covert storage channel involves the direct or indirect reading of a storage location by two different processes. A memory location or sector on a disk that is shared by two subjects at different security levels are typical examples of covert storage. A covert timing channel involves the ability to influence the rate that some other process is able to acquire resources, such as the CPU, memory, or I/O devices. The variation in rate may be used to pass information to another by modulating its own use of system resources. Malicious software, also known as malicious code, is a class of software that comes in many forms and performs a variety of damaging actions. The purposes of malware include: Propagation. It is the ability of the malware program to spread from system to system. Damage and destruction of information. Malware can alter or delete files on target systems. Steal information. Malware can locate and steal valuable information such as e-mail addresses, user ids and passwords etc., and send the same information to the malware’s owner or operator. Usage monitoring. Malware can implant the means to record subsequent communications, keystrokes and mouse clicks, and send this data to the malware’s owner operator. Denial of Service. Malware can consume all available resources on a target system, rendering it essentially useless for its intended use. Remote control. Malware can implant a bot onto a target system that allows an attacker to remotely control the system.

14 Threats in the Software Environment (contd.)

Malformed Input Attack is where inputs are collected from the users and configured those inputs in unusual ways. There are various systems to detect and protect against such attacks. For example, an attack that redirected a Web browser to an alternate site might be caught by a firewall by detecting the Uniform Resource Locator (URL) of an inappropriate site. Memory or Object reuse Memory management involves sections of memory allocated to one process for a while, then de-allocated, then reallocated to another process. Because residual information may remain when a section of memory is reassigned to a new process after a previous process is finished with it, a security violation may occur. While memory locations are of primary concern in this regard, developers should also be careful with the reuse of other resources that can contain information, such as disk space. The paging or swap file on the disk is frequently left unprotected and may contain an enormous amount of sensitive information if care is not taken to prevent this occurrence.

15 Threats in the Software Environment (contd.)

Executable content or mobile code is software that is transmitted across a network from a remote source to a local system and is then executed on that local system. The code is transferred by user actions and, in some cases, without the explicit action of the user. The code can arrive to the local system as attachments to e-mail messages or through Web pages. The concepts of mobile code have been called many names: mobile agents, mobile code, downloadable code, executable content, active capsules, remote code, etc. A social engineering attack occurs on the personnel in an organization. Usually the purpose of a social engineering attack is to gain secrets from individuals that can later be used to gain unauthorized access to the organization’s systems. The social engineer uses a technique known as pretexting in an effort to pretend that they are someone else. Social engineers prey on this weakness in feigned calls for assistance.

16 Threats in the Software Environment (contd.)

Time of Check or Time of Use or TOC/TOU (read as T-O-C-T-O-U) attack occurs based on the time variations between the system security functions check on the variables contents and when the variables are actually used during operations. It is also knows as race condition. In this state, the program may behave inconsistently, with arbitrary and erroneous results. For instance, a connection between two machines may drop. If an attacker manages to attach to one of the ports used for this link before the failure is detected, the invader can hijack the session by pretending to be the trusted machine. Data Contamination means corruption of data integrity by input data errors. It can be a deliberate or accidental process or act that result in a change in the integrity of the original data.

17 Threats in the Software Environment (contd.)

The garbage collector attempts to reclaim garbage, or memory occupied by objects that are no longer in use by the program. Garbage collection is often portrayed as the opposite of manual memory management. The time when the garbage is actually collected can be unpredictable, resulting in stalls scattered throughout a session. A trapdoor or backdoor is a hidden mechanism that bypasses access control measures. It is an entry point into a program that is inserted in software by programmers during the program’s development. A programmer or someone who knows about the backdoor can exploit the trapdoor as a covert means of access after the program has been implemented in the system. An unauthorized user may also discover the entry point while trying to penetrate the system.

18 Business Scenario

The IT Department of Nutri Worldwide Inc. is developing a financial application to cater the needs of their vendors and suppliers. The experienced development team worked diligently to meet the deadline of delivery. To save time they created a direct access to the application. Once the application was ready the security team tested the application’s ability to handle various threats like buffer overflows, garbage collection, covert channel, TOC/TOU, malformed input attack, memory reuse and data contamination. Tests were also performed on the application server to test its ability to handle virus attacks, and malicious applets. Users were also made aware of the social engineering attacks. Kevin volunteered to test the application as a part of his CISSP preparation. Kevin found out that one important threat was not identified by the application security testing team and informed Hilda Jacobs, General Manager, IT Security about it. Question: Which important threat was not identified by the application security testing team? Answer: The presence of backdoor was not identified.

19 System Life Cycle and Systems Development

The next topic is System Life Cycle and Systems Development. In this topic, we will, explain software capability maturity model (CMM) levels, discuss systems development life cycle (SDLC), define software testing, identify software testing methods, state software testing levels, describe application controls, list software development methods, define java security, and comprehend secure software development best practices. The Software Capability Maturity Model or CMM (read as C-M-M) is based on the premise that the quality of a software product is a direct function of the quality of its associated software development and maintenance processes. The Software CMM was first developed by the Software Engineering Institute or SEI (read as S-E-I) in 1986 (read as nineteen eighty six). The SEI defines five maturity levels that serve as a foundation for conducting continuous process improvement and as an ordinal scale for measuring the maturity of the organization involved in the software processes. The following are the five maturity levels: Level One: Initial - The software process is usually inconsistent and chaotic. Success depends on an individual’s effort, talent, and heroics. Level Two: Repeatable - The software process usually has a basic and reliable project management process. Project management practices are institutionalized. Level Three: Defined - The software process for management and engineering activities are defined. Technical practices are integrated with management practices. Level Four: Managed - Product and process improvement is the key focus. Product and process are quantitatively controlled. Level Five: Optimizing - The focus of this level is Continuous process improvement. Process improvement is institutionalized. An evolution of the CMM methodology has resulted in the development of the Capability Maturity Model Integration (CMMI) by the SEI. The CMMI integrates the best practices and knowledge from the disciplines of software engineering, acquisition, and systems engineering. It has replaced the Software CMM. Let’s proceed to the next topic, which is Systems Development Life Cycle (SDLC).

20 Systems Development Life Cycle

The Systems Development Life Cycle or SDLC (read as S-D-L-C), also called as Software Development Life Cycle, is a system development model used throughout the IT industry. The SDLC is a project management tool used to plan, execute, and control a software development project. The SDLC provides a framework for the phases of a software development project starting from defining the functional requirements to implementation. The security practitioner should ensure that security is considered during all phases of the system life cycle, and that security activities are accomplished during each phase. Let us look at the phases of the SDLC and the security controls that can be included in each of them. The first phase is to prepare a Security Plan. In this phase: •A Sensitivity Assessment of the system and the information to be processed is conducted. The second phase is Development or Acquisition. During this phase, the system is designed, purchased, programmed, and developed. This phase often consists of other defined cycles, such as the system development cycle or the acquisition cycle. The steps in this phase are: •Determine security requirements •Incorporate security requirements into specifications •Obtain the system and related security activities The next phase is Implementation, during which the system is tested and installed or fielded. Items to consider in this phase are: •install/switch on controls •security testing •certification and accreditation The fourth phase is Operation and Maintenance, in which the system performs its work. The system is usually being continuously modified by the addition of hardware and software, and by many other events. Broadly, the items to consider in this phase are: •security operations and administration •operational assurance •audits and monitoring •Change Management •Configuration Management Disposal is the last phase of the IT system life cycle and involves the disposal of information, hardware, and software. During this phase, secure information disposal and media sanitization are taken care of. Let us focus on the SDLC Operation and Maintenance phase in the next screen.

21 SDLC—Operation and Maintenance

Operation and Maintenance is an important phase in the system lifecycle and includes the following activities: •Ensure operations continuity •Monitor system performance •Detect vulnerabilities •Manage and avoid problems in system •Secure recovery of systems •Periodic risk analysis •Follow Change Management procedures •Verify compliance The security practitioner must ensure that all these activities are carried out according to the organization’s documented procedures. Let us discuss the integrated product team in the next screen.

22 Integrated Product Team (IPT)

An Integrated Product Team or IPT (read as I-P-T) is a multi-disciplinary team that helps facilitate decision making by: •working together to build successful programs •identifying and resolving issues •making comprehensive and timely recommendations The team comprises members from the organization’s appropriate functional disciplines. An IPT is used for review and decision-making in complex programs and projects. It provides a forum for collaboration by involving all the stakeholders such as users, management, customers, contractors, and developers. Let us discuss DevOps in the following screen.

23 DevOps

DevOps, derived from the terms "development" and "operations“, is a software development method that places importance on communication, collaboration, and integration between the organization’s software developers and IT staff. The interdependence of software development and IT Operations is addressed by DevOps, whose need is especially felt by organizations with very frequent releases. DevOps helps an organization to quickly produce software products and services and ensures Quality Assurance is adopted to improve Operations performance. In the next screen, we will discuss software testing methods.

24 Software Testing Methods

The primary purpose of software testing is to detect and uncover the errors and bugs. It is an ongoing process, which helps to identify the correctness, completeness, and quality of a developed application. It is required to achieve maximum profit with good quality product, within the limitations of time and money. In software development life cycle the testing is important as it improves reliability, performance and other important factors as per the requirement specifications. Different tests needs to be performed in all the phases of SDLC. In the subsequent screen, we will look at software testing methods. The following are some of the methods used for software testing. Static testing is a form of software testing where the software isn't used. It checks for the sanity of the code, algorithm, or document. It primarily checks the code or manually reviews the code or document to find errors. Code reviews, inspections and Software walkthroughs are also used. Dynamic testing or dynamic analysis is a term used in software engineering to describe the testing of the dynamic behavior of code. In dynamic testing the software must actually be compiled and run. It involves working with the software, giving input values and checking if the output matches the expected values etc., Unit tests, integration tests, system tests and acceptance tests utilize dynamic testing White-box testing also known as clear box testing, glass box testing, transparent box testing, and structural testing. It is a method of testing software that tests internal structures or workings of an application. In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. Black box testing also known as functional testing. A software testing technique whereby the internal workings of the item being tested are not known by the tester. For example, in a black box test on software design the tester only knows the inputs and the expected outcomes and not the actual output achieved. The tester does not ever examine the programming code and does not need any further knowledge of the program other than its specifications. Requirements traceability matrix or RTM can be used to map customer’s requirements to the software testing plan. It traces the requirements, and ensures that they are being met. Combinatorial software testing is a black-box testing method that seeks to identify and test all unique combinations of software inputs. An example of combinatorial software testing is pairwise testing (also called all pairs testing). Fuzzing is also known as fuzz testing. It is a type of black box testing that enters random, malformed data as inputs into software programs to determine if they will crash. A program that crashes when receiving malformed or unexpected input is likely to suffer from a boundary checking issue and may be vulnerable to a buffer overflow attack. Any program that crashes or hangs has failed the fuzz test. We will discuss Software testing levels in the next screen.

25 Software Testing Levels

Software testing levels are as follows: Unit Testing is the low-level tests of software components, such as functions, procedures, or objects. Installation Testing is the testing of software as it is installed and first operated Integration Testing is done to test multiple software components as they are combined into a working system. Regression Testing tests software after updates, modifications, or patches. Acceptance Testing is performed to ensure the software meets the customer’s operational requirements; when this testing is done directly by the customer, it is called User Acceptance Testing We will cover application controls in the next screen.

26 Application Controls

The goal of application controls is to enforce the organization’s security policy and procedures and to maintain the confidentiality, integrity, and availability of the computer-based information. Application security involves the input to the system, the data being processed, and the output of the system. The controls can be classified into preventive, detective, and corrective measures that apply to different security categories. These controls and categories are listed in the Table. In the subsequent screen, we will look at software development methods in detail.

27 Software Development Methods

There are various methods used for software Development. Some of the popular methods are Waterfall Model; Spiral Model; Rapid Application Development; Extreme Programming; and Other Models. Click each tab to know more. The Waterfall Model is a linear application development model that uses rigid phases. When one phase ends, the next begins. Steps occur in sequence, and, if unmodified, the model does not allow developers to go back to previous steps. In 1976, Barry Boehm reinterpreted the waterfall model. The modified waterfall model allows a return to a previous phase for verification or validation, ideally confined to connecting steps. In this modified version of the Waterfall model, rework can be accomplished within a phase when the phase end review shows that it is required. Advantages of this method are that it is simple to implement being a linear model, the amount of resources required to implement this model are minimal. Disadvantage of this method is that one cannot go back a step or phase once it is finished, small changes or errors that arise in the completed software may cause a lot of problems.

28 Software Development Methods (contd.)

In 1988, Barry Boehm developed the Spiral model, which is actually a meta-model that incorporates a number of software development models. This model depicts a spiral that incorporates the various phases of software development. The model states that each cycle of the spiral involves the same series of steps for each part of the project. The spiral model combines the idea of iterative development or prototyping with the systematic, controlled aspects of the waterfall model. It allows for incremental releases of the product, or incremental refinement through each time around the spiral. The spiral model also explicitly includes risk management within software development. Advantages of this method are repeated or continuous development helps in risk management, and the customer's expertise on new system grows, enabling smooth development of the product, meeting client needs. Disadvantages of this method are that the model is best suitable for large projects, where the costs involved are higher and system pre requisites involves higher level of complexity. Evaluating the risks involved in the project can increase the cost and it may be higher than the cost of building the system

29 Software Development Methods (contd.)

Rapid Application Development or RAD (read as one word RAD) is a form of rapid prototyping that requires strict time limits on each phase and relies on tools that enable quick development. In RAD software is developed via the use of prototypes, dummy Graphical User Interfaces or GUIs (read as G-U-Is), back-end databases, and more. The primary goal is to meet the system’s business need. Advantages of this method are: it promotes strong collaborative atmosphere and dynamic gathering of requirements. Business owner actively participates in prototyping, writing test cases and performing unit testing. Disadvantages of RAD are: it depends on strong cohesive teams and individual commitment to the project. Decision-making relies on the feature functionality team and a communal decision-making process with lesser degree of centralized project management and engineering authority.

30 Software Development Methods (contd.)

Extreme Programming is a discipline of software development that is based on values of simplicity, communication, and feedback. It is a structured approach with subprojects and with defined scope and programmers working in pairs. The team produces the software in a series of small, fully integrated releases that fulfill the customer defined needs for the software. Extreme Programming or XP (read as X-P) is an Agile Software development method that uses pairs of programmers working off a detailed specification. Benefits of extreme programming are: it lowers the cost of changes through quick spirals of new requirements. Most design activity occurs incrementally and on the fly. Drawbacks of the method are: the programmers must work in pairs, which is difficult for some people. Absence of up-front detailed design occurs, which can result in more redesign effort in the long term.

31 Software Development Methods (contd.)

The other models include: Prototyping. The objective is to build a simplified version (prototype) of the application, release it for review, and use the feedback from the users’ review (or clients) to build a better version. Modified Prototype Model or MPM (read as M-P-M). The goal is to have a flexible process to ensure that the application is not based on the state of the organization at any given time. Joint analysis development or JAD (read as J-A-D) model is a management process that helps developers to work directly with users to develop a working application. The success of JAD is based on having key players communicating at critical phases of the project. Exploratory Model is a set of requirements built with what is currently available. Assumptions are made as to how the system might work, and further insights and suggestions are combined to create a usable system. Computer-Aided Software Engineering or CASE (read as one word CASE) is the technique of using computers and computer utilities to help with the systematic analysis, design, development, implementation, and maintenance of software. Component-Based Development is the process of using standardized building blocks to assemble, rather than develop, an application. Reuse Model. In this model, an application is built from existing components. The reuse model is best suited for projects using object-oriented development because objects can be exported, reused, or modified.

32 Java Security

In this screen, we will discuss Java Security in detail The Java programming language implements some specific security provisions. Some of these have been added to subsequent programming languages. The three parts or layers of the Java security approach are First layer is verifier (or interpreter), which helps to ensure type safety. It is primarily responsible for memory and bounds checking. Second layer is class loader, which loads and unloads classes dynamically from the Java runtime environment and The third layer is security manager, which acts as a security gatekeeper protecting against rogue functionality. Additional security features include Cryptographic algorithms, secure messaging, authentication & authorization service, encryption etc. In the next screen, we will discuss Secure Software Development Best Practices.

33 Secure Software Development Best Practices

The best practices for Secure Software Development are provided by: Web Application Security Consortium or WASC A nonprofit organization which produces open source and best practices for World Wide Web. It is composed of an international group of experts, industry practitioners, and organizational representatives Open Web Application Security Project or OWASP A nonprofit organization focused on enhancing the application security ISO/IEC 27034 International standard that provide guidelines to organizations on integrating security in software processes and is applicable to in-house developed or acquired software.

34 Business Scenario

The Software Testing team at Nutri Worldwide Inc. created a software test plan for the new CRM application. The project was divided into different modules and assigned to developers to start the coding. As per the assigned modules, the testers prepared test scenarios and test cases. Each module was tested individually. The software was also tested for compatibility on different operating systems, hardware, internet browsers, etc. The tests performed on individual modules were Unit testing, Installation testing, Regression testing and Acceptance testing. When the application was deployed in the production environment, some users reported issues in exporting the data between different modules. Hilda assigned the task of investigating this to Kevin. Kevin submitted his report to Hilda. Question: Which testing did Kevin’s report indicate should have been done to avoid the issue? Answer: Integration testing on module integration would have avoided the issue.

35 Object - Oriented Programming Terms

The following definitions are fundamental to object-oriented programming: method, message, objects, behavior, class, instances, encapsulation, delegation, inheritance, polymorphism, polyinstantiation, information hiding, and abstraction. Click each term to know more. Objects are distinct entities that a programmer can create. Each object has the ability to manipulate itself. Message is the communication to an object to carry out an operation. Method is the code that defines the action of the object in response to a message. Behavior refers to the results exhibited by an object in response to a message. Class is the collection of the common methods of a set of objects that defines the behavior of those objects. Objects are instances of classes that contain their methods. Encapsulation protects the object by denying direct access to view or interact with what is located inside the object.

36 Object - Oriented Programming Terms (contd.)

Delegation is forwarding a request by an object to another object. Inheritance is the concept wherein a data class defines the subclasses of data objects that share some or all of the main class characteristics. Polymorphism is the concept of objects processing differently depending on their data type. Polyinstantiation is the development of a detailed version of an object from another object using different values in the new object. Information hiding means hiding the process of other components. Abstraction is suppressing un-necessary details.

37 Object-Oriented Programming—Definition

Object-oriented programming or OOP (read as O-O-P) methods perform the same functionality like other software development methods. A data is entered in a program and the program passes the data from the beginning to the end performing logical procedures, and returns a result. However, it may use different techniques that work in a more efficient manner. First, let’s understand the basic concepts of OOP. The core of the pure object-oriented programming is to create an object, in code, that has certain properties and methods. Objects provide abstraction or information hiding. Programmers initiate objects (that others wrote). Programmers manipulate objects through methods. Programmers do not need to know the inner working of objects, instead they focus on how to use the object in the “big picture” and leave the details of the objects operation to the objects themselves. Objects know how to access their own data Objects know how to manipulate themselves: Objects pass messages to other objects: One object can communicate with another object if it knows the application programming intelligence or API communication requirements. An API is the mechanism that allows objects to talk to each other. In the subsequent screen, we will look into distributed object-oriented systems.

38 Distributed Object-Oriented Systems

Distributed development architectures allow applications to be divided into pieces that are called components, and each component can exist in different locations. This development paradigm allows programs to download code from remote machines onto a user’s local host in a manner that is seamless to the user. Applications are constructed with software systems that are based on distributed objects, such as the Common Object Request Broker Architecture or CORBA Java Remote Method Invocation or JRMI Enterprise JavaBean or EJB and Distributed Component Object Model or DCOM . A distributed object-oriented system allows parts of the system to be located on separate computers within an enterprise network. The object system itself is a compilation of reusable self-contained objects of code designed to perform specific business functions. The way in which the objects communicate with one another is complex, especially because objects may not reside on the same machine, but may be located across machines on the network. To standardize this process, the Object Management Group or OMG created a standard called Object Request Broker or ORB for finding objects, initiating objects, and sending requests to the objects. This standard is a part of the Common Object Request Broker Architecture (CORBA). Advantages of Object Request Broker include the following: It allows new resources to be added to it as required since it is a very open system architecture, and The system is flexible and scalable. Example: Java based systems. In the next screen, we will cover Object Request Brokers.

39 Object Request Brokers

Object Request Brokers or ORBs are used to locate objects. The purpose of the ORB is to support the interaction of objects in heterogeneous, distributed environments. The objects may be on different types of computing platforms. Therefore, ORBs act as the locators and distributors of objects across networks. ORBs are considered as middleware because they reside between two other entities. ORBs can also provide security features, or the objects can call security services. An ORB is a component of the Object Request Architecture (ORA), which is a high-level framework for a distributed environment. The common object brokers include COM, DCOM, and CORBA (read as COM, D-COM, and CORBA).

40 COM—Component Object Model

COM stands for Component Object Model. COM locates objects on a local system. It also allows objects written in different OOP languages to communicate with each other. For example, objects written in C++ can send messages to objects written in Java. COM is designed to hide the details of any individual object, instead of focusing on the object’s capabilities. The Component Object Model or COM is developed by Microsoft.

41 DCOM—Distributed Component Object Model

DCOM stands for Distributed Component Object Model. It is a networked sequel to COM developed by Microsoft. DCOM locates objects over a network. Microsoft Distributed COM or DCOM extends the Component Object Model or COM to support communication among objects on different computers using a LAN, a WAN, or even the Internet. DCOM allows the application to be distributed at locations which is sensible to the customer and to the application. DCOM includes Object Linking and Embedding or OLE which is a way to link documents together.

42 CORBA—Common Object Request Broker Architecture

CORBA stands for Common Object Request Broker Architecture. It is an open vendor-neutral networked object broker framework developed by the Object Management Group or OMG It competes with Microsoft’s proprietary DCOM It enforces security policy through access control, data protection, non-repudiation, and auditing. CORBA defines an industry standard that enables programs written in different languages, using different platforms and operating systems to interface and communicate. To implement this compatible interchange, a user develops a small amount of initial code and an Interface Definition Language or IDL file. The IDL file then identifies the methods, classes, and objects that are the interface targets. For example, CORBA can enable Java code to access and use objects whose methods are written in C++.

43 Software Security and Assurance

The following are the software security methods that can be implemented in organizations: security kernels; processor privilege states; bound checking; parameter checking; memory protection; granularity of controls; separation of environments; prevention of time of check / time of use (TOC/TOU); prevention of social engineering; backup controls; software forensics; cryptography; password protection; mobile code controls; sandbox; and strong language support. A security kernel is responsible for enforcing a security policy. It is a strict implementation of a reference monitor mechanism. The architecture of a kernel operating system is typically layered, and the kernel should be at the lowest and most primitive level. It is a small portion of the operating system through which all references to information and all changes to authorizations must pass. To be secure, the kernel must meet three basic conditions completeness which means all accesses to information must go through the kernel, isolation means that the kernel itself must be protected from any type of unauthorized access, and verifiability means the kernel must be proven to meet design specifications.

44 Software Security and Assurance (contd.)

The processor privilege states protect the processor and the activities that it performs. The earliest method was to record the processor state in a register that could only be altered when the processor was operating in a privileged state. Instructions such as input—output requests were designed to include a reference to this register. If the register was not in a privileged state, the instructions were aborted. The hardware typically controls entry into the privilege mode. The privilege-level mechanism should prevent memory access such as programs or data from less privileged to more privileged levels. A bound checking is any method of detecting whether a variable is within some bounds before its use. It prevents buffer overflows on input.

45 Software Security and Assurance (contd.)

A security risk exists when all parameters have not been fully checked for accuracy and consistency by the operating systems. The lack of parameter checking can lead to buffer overflow attacks. Parameter checking is implemented by the programmer and involves checking the input data for disallowed characters, length, data type, and format. Other technologies to protect against buffer overflows include canaries, the use and monitoring of indicator data values at the end of buffer areas. Memory protection is concerned with controlling access to main memory. When several processes are running at the same time, it is necessary to protect the memory used by one process from unauthorized access by another. This can be ensured by partitioning memory to ensure processes cannot interfere with each other’s local memory and to ensure common memory areas are protected against unauthorized access.

46 Software Security and Assurance (contd.)

Granularity of controls or security ensures that the security controls are granular enough to address both program and user otherwise the users will get more access permission than the intended access. For example, if the user is unable to access object A, but the user has access to a program that can access object A, then the security mechanisms could be bypassed. Inadequate granularity of controls can be addressed by proper implementation of the concept of least privilege, setting reasonable limits on the user, and separation of duties and functions should be covered. Programmers should never be system administrators or users of the application. Grant users only those permissions necessary to do their job.

47 Software Security and Assurance (contd.)

Separation of Environments. The following types of environments can exist in software development. Development environment, Quality assurance environment (testing), and Application (production) environment. The security issue is to control how each environment can access the application and the data and then provide mechanisms to keep them separate. Control measures to protect the various environments include physical isolation of environment, physical or temporal separation of data for each environment, access control lists, content-dependent access controls, role-based constraints, role definition stability, accountability, and separation of duties.

48 Software Security and Assurance (contd.)

Time of Check or Time of Use is possible only if there are multiple threads of execution at the same time. The most common TOC/TOU hazards are file-based race conditions that occur when there is a check on some property of the file that precedes the use of that file. To avoid TOC/TOU problems, especially file-based issues, the programmer should avoid any file system call that takes a filename for an input, instead of a file handle or a file descriptor. Files that are to be used should be kept in their own directory, where the directory is only accessible by the universal ID or UID (read as U-I-D) of the program performing the file operation. Race conditions are not the only TOC/TOU situations, and some applications may require periodic or continual authentication, depending upon security and policy requirements.

49 Software Security and Assurance (contd.)

Social Engineering is a way in which attackers can try to use social influence over users to subvert normal processes and technical controls for their own gain which include subtle intimidation, bluster, pulling rank, exploiting guilt, pleading for special treatment, exploiting a natural desire to be helpful, or appealing to an underling’s subversive streak. In regard to protection against social engineering attacks, users and help desk staff needs a proper framework to work. The best method of preventing social engineering is to make users aware of the threat and give them the proper procedures for handling unusual or what may seem usual requests for information.

50 Software Security and Assurance (contd.)

Backup Controls. Backing up operating system and application software is a method of ensuring productivity in the event of a system crash. Storing copies of software in an off –site location can be useful if the building is no longer available. Data, programs, documentation, computing, and communications equipment redundancy can ensure that information is available in the event of an emergency. The source code for custom-designed software is kept in escrow ensures that if the software vendor were to go out of business, the source code would be available to use or to give to another vendor in the event upgrades or assistance is needed. Contingency planning documents help to provide a plan for returning operations to normal in the event of an emergency. Disk mirroring, redundant array of independent disks (RAID), etc., provide protection for information in the event of a production server crashing.

51 Software Security and Assurance (contd.)

Software Forensics is the study of malicious software in regard to protection against malicious code. Software forensics has a number of possible uses. In analyzing software suspected of being malicious, it can be used to determine whether a problem is a result of carelessness or was deliberately introduced as a payload. Information can be obtained about authorship and the culture behind a given programmer, and the sequence in which related programs were written. This can be used to provide evidence about a suspected author of a program or to determine intellectual property issues. The techniques behind software forensics can sometimes also be used to recover source code that has been lost.

52 Software Security and Assurance (contd.)

Cryptographic techniques protect information by transforming the data through encryption schemes. They are used to protect the confidentiality and integrity of information. Most cryptographic techniques are used in telecommunications systems; however, because of the increase in distributed systems, they are becoming increasingly used in operating systems. Encryption algorithms can be used to encrypt specific files located within the operating system. For example, database files that contain user information, such as group rights, are encrypted using one-way hashing algorithms to ensure a higher protection of the data.

53 Software Security and Assurance (contd.)

Password Protection. Operating system and application software use passwords as a convenient mechanism to authenticate users. Typically, operating systems use passwords to authenticate the user and establish access controls for resources, including the system, files, or applications. Password protections offered by the operating system include controls on how the password is selected and how complex the password is, password time limits, and password length. Password files stored within a computer system must be secured by the protection mechanisms of the operating system as password files are prone to unauthorized access. The most common solution is to encrypt password files using one-way encryption algorithms or hashing. Another feature offered by an operating system for password security involves an overstrike or password-masking feature. This prevents others from reading the typed password through shoulder surfing.

54 Software Security and Assurance (contd.)

Mobile Code Controls are technical controls, which protect the user from the security consequences of viewing web pages, which have programs attached to them. Secured systems should limit mobile code or applets access to system resources such as the file system, the CPU, the network, the graphics display, and the browser’s internal state. The system should garbage-collect memory to prevent both malicious and accidental memory leakage. Sandbox is one of the control mechanisms for mobile code. It provides a protective area for program execution. Limits are placed on the amount of memory and processor resources the program can consume. If the program exceeds these limits, the Web browser terminates the process and logs an error code. This can ensure the safety of the browser’s performance. A sandbox can be created on the client side to protect the resource usage from applets.

55 Software Security and Assurance (contd.)

Strong Language Support is a method of providing safe execution of programs such as Java. A type-safe language or safe language is a program that will never go wrong in certain ways. These ensure that arrays stay in bounds, the pointers are always valid, and code cannot violate variable typing. Memory access through pointers is one of the main causes for weaknesses or bugs and security problems in C or C++. Java does an internal check, called static type checking, which examines whether the arguments an operand may get during execution are always of the correct type.

56 Software Security : XML and Security Assertion Markup Language

In this screen, we will look at some of the languages, which provide software security. They are as follows XML (read as X-M-L) stands for Extensible Markup Language. XML is a World Wide Web Consortium standard for structuring data in a text file so that both the format of the data and the data can be shared on intranets and the Web. XML is called extensible because the symbols are unlimited and can be defined by the user or author. The format for XML can represent data in a neutral format that is independent of the database, application, and the underlying DBMS. XML applications must be reviewed for how authentication of users is established, access controls are implemented, auditing of user actions is implemented and stored, and confidentiality of sensitive data can be achieved. SAML stands for Security Assertion Markup Language A format that uses XML to describe security information such as, primarily identity and authorization-related information The important requirement that SAML addresses is web browser single sign-on (SSO). Single sign-on solutions are common at the intranet level, for example, using cookies. We will discuss Software Security: Service oriented architecture or SOA (S-O-A) in the following screen.

57 Software Security: SOA

Service oriented architecture or SOA (read as S-O-A) provides standardized access to the most needed services to many different applications at one time. In a SOA, disparate entities make their resources available to an entire population in a standardized way. In other words, SOA is a model for distributed computing, wherein applications call other applications over the network. Functionality is distributed over the network, utilizing the ability to find the functionality and connect to it. The SOA provides for modularity, flexibility, and reusability. Moreover, it allows for consistent and collaborative governance, security, and management, such as, policy enforcement, authentication, encryption, and digital signature implementations, with the caveat that the security is designed and implemented correctly. The availability of middleware interfaces, however, can make them common targets for attack. It is independent of any vendor, product, or technology. As depicted in the figure the core components of SOA implementations includes people, process, platform, and practice. SOA helps create greater alignment between IT and line of business while generating more flexibility. Business processes change constantly and global competition requires the flexibility that SOA can provide. It empowers business decision makers. SOA helps in better reuse of existing IT investments as well as the new services, which are developed. SOA makes integration of the IT investments easier by making use of well-defined interfaces between services. SOA also provides an architectural model for integrating business partners’, customers’ and suppliers’ services into an enterprise’s business processes. This reduces cost and improves customer satisfaction. SOA increases organizational efficiency and employs best practices methodology. SOA reduces business risk and exposure by complying with proliferating government regulations, such as Sarbanes-Oxley, the US Patriot Act, etc. We will look into audit and assurance mechanisms in the next screen.

58 Audit and Assurance Mechanisms

There are many audit and assurance mechanisms and few are discussed below. Information Integrity is the process of applying procedures to compare or reconcile what was processed against what was supposed to be processed. For example, controls can compare totals or check sequence numbers. Information Accuracy can be defined as the process to check input accuracy or data validation and to incorporate them into appropriate applications. The various accuracy checks used are character checks or sanity checking, range checks, relationship checks, reasonableness checks, and transaction limits check. Information Auditing is performed as vulnerabilities exist in the software life cycle. Auditing procedures assist in detecting any abnormal activities. A secure information system must provide authorized personnel with the ability to audit any action that can potentially cause access to, damage to, or in some way affect the release of sensitive information. Certification is the technical evaluation of security compliance of the information system within its operational environment. It is the endorsement by the users and managers that the system/application meets their functional requirements. The certification process is followed by accreditation. The accreditation process reviews the certification information and grants the official authorization to place the information system into operational use. It is the formal approval by senior management. Information Protection Management protects the shared software from unauthorized modification by ensuring policies, developmental controls, and life-cycle controls are in place. Change Management is to ensure the integrity of the applications, in the process of maintenance of software. Change controls must be sufficient to protect against accidental or deliberate introduction of variations in code that would allow system failures, security intrusions, corruption of data, or improper disclosure of information. Configuration Management refers to monitoring and managing changes to a program or documentation. The goal is to guarantee integrity, availability, and usage of the correct version of all system components such as the software code, design documents, documentation, and control files.

59 Assessing the Effectiveness of Software Security

The security practitioner must regularly assess the effectiveness of software security using the following methods: •System Authorization: This involves certification and accreditation or authorization of systems that process, store, or transmit information. It ensures that a control framework is selected and uniformly implemented across the organization with the help of standards. •Auditing and logging: Most software is released with many vulnerabilities. Appropriate auditing and logging of changes helps identify security issues. Organizations must adequately address these issues by applying appropriate procedures to check and maintain information integrity, accuracy. Let us discuss some more methods of assessing software security in the next screen.

60 Assessing the Effectiveness of Software Security (contd.)

Risk Analysis and Mitigation must be integrated in the SDLC as an ongoing activity, and in Change Management. A well-designed risk analysis and mitigation technique uses standardized methods outlined in frameworks, such as ISO and NIST, to assess risk and report to stakeholders. It involves tracking and managing vulnerabilities identified in the risk assessment and taking corrective actions for mitigation by reviewing and prioritizing the findings. The security practitioner must also ensure correct testing and verification. All mitigation measures must be thoroughly tested and verified by independent assessors to ensure that the security flaw has actually been corrected. Let us discuss the security impact of acquired software in the next screen.

61 Assessing the Security Impact of Acquired Software

Acquired software can introduce new vulnerabilities into the system and may have an impact on the organization’s risk posture. The security practitioner must ensure that the vulnerabilities are identified and mitigated. The security of the acquired software can be assessed by: •Using security tools to test the software for vulnerabilities: There are many commercial and free tools the security practitioner can use to conduct a software vulnerability assessment. •Verifying whether the software development firm has followed secure processes. •Checking developer conformance to international standards like ISO 27034 (Read as: I-S-O-twenty-seven-thousand-and-thirty-four): This standard offers guidance on information security to those who specify, design and program or procure, implement, and use application systems. The aim is to ensure that computer applications deliver the desired or necessary level of security in support of the organization’s Information Security Management System, adequately addressing the security risks. Let us now discuss in the next screen two other important areas of software development security–Code Repositories and Application Programming Interfaces.

62 Code Repositories and Application Programming Interfaces

Code Repositories is a file archives and web hosting facility in which large number of source codes is stored privately or publicly. For example, source code repositories are used by open-source projects and other multi-developer projects to handle various versions. Securing a code repository requires physical, system, operational, and software and communication security. It also requires file systems and backups, and access control. An Application Programming Interface or API is a group of protocols, routines, and tools for building a software application. A security practitioner must understand the different techniques of securing APIs (Read as: A-P-eyes) involving the use of •OAuth (Read as: O-Auth), or Open standard for API access delegation •BasicAuth or Basic Authentication in which the user agent must authenticate itself with a username and a passw

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Phone Number*
Job Title*