Application Security
CISSP Guide to Security Essentials
Chapter 3
Objectives
•
•
•
•
Types of applications
Application models and technologies
Application threats and countermeasures
Security in the software development
life cycle
CISSP Guide to Security Essentials
2
Objectives (cont.)
• Application security controls
• Databases and data warehouses
CISSP Guide to Security Essentials
3
Types of Applications
• Agents
– Standalone programs that are part of
a larger application
– Examples:
• Anti-virus
• Patch management
• Configuration management
CISSP Guide to Security Essentials
4
Types of Applications (cont.)
• Applets
– Software programs that run within the
context of another program
– Example: media players within browser
CISSP Guide to Security Essentials
5
Types of Applications (cont.)
• Client-server
– Separate programs on clients and servers
communicate via networks and work together
– Few developed now but many are in use
CISSP Guide to Security Essentials
6
Types of Applications (cont.)
• Distributed
– Software components run on several systems
– Two-tier, three-tier, multi-tier
– Reasons: scalability, performance, geographical
CISSP Guide to Security Essentials
7
Types of Applications (cont.)
• Web
– Web browser as client, application server
back-end
– Client software nearly universal
– Application software centralized
CISSP Guide to Security Essentials
8
Application Models and
Technologies
•
•
•
•
Control flow languages
Structured languages
Object oriented languages
Knowledge based languages
CISSP Guide to Security Essentials
9
Control Flow Languages
•
•
•
•
Linear, sequential
Use of “if – then – else”
Branching with “go to”
Examples:
– BASIC, COBOL, Cold Fusion, FORTRAN, Perl,
PHP, Python, VBScript
CISSP Guide to Security Essentials
10
Structured Languages
• Nested, heavy use of subroutines
and functions
• Little or no “go to”
• Examples:
–C
– Pascal
CISSP Guide to Security Essentials
11
Object Oriented Languages
• Utilize concepts of object programming
– Classes, objects, instances, and inheritance
– Methods, instantiations
– Encapsulation, abstraction, polymorphism
• Examples
– C++, Java, Ruby, Simula, Smalltalk
CISSP Guide to Security Essentials
12
Knowledge Based Applications
• Neural networks
– Modeled after biological reasoning processes
– Artificial neurons that store pieces of information
– Given cases about situations and outcomes,
can predict future outcomes
CISSP Guide to Security Essentials
13
Knowledge Based
Applications (cont.)
• Expert systems
– Inference engine and knowledge base
of past situations and outcomes
CISSP Guide to Security Essentials
14
Threats to Applications
• Reasons for attacks
–
–
–
–
Industrial espionage
Vandalism and disruption
Denial of service
Political / religious
CISSP Guide to Security Essentials
15
Threats to Applications (cont.)
• Buffer overflow attacks
– Disrupt a software application by providing
more data to the application than it
was designed to handle
CISSP Guide to Security Essentials
16
Threats to Applications (cont.)
• Buffer overflow attacks (cont.)
– Types
•
•
•
•
Stack buffer overflow
NOP sled attack
Heap overflow
Jump to register attack
CISSP Guide to Security Essentials
17
In Java
• Instance variables and Objects lie on
Heap.
• Local variables and methods lie on the
Stack. So if we have a main method
which calls the go() method which calls
the gone() method then the stack from
top to bottom would consist of
CISSP Guide to Security Essentials
18
• gone()
• go()
• main()
CISSP Guide to Security Essentials
19
CISSP Guide to Security Essentials
20
Threats to Applications (cont.)
• Examples: Morris worm, ping of death,
code red worm
• Buffer overflow attack countermeasures
–
–
–
–
Use safe languages and libraries
Executable space protection
Stack smashing protection
Application firewalls
CISSP Guide to Security Essentials
21
Threats to Applications (cont.)
• Covert channel
– Unintended and hidden channel of communications
– Types:
• Covert storage channel: read a storage
location and learn about the application
or other data
CISSP Guide to Security Essentials
22
Threats to Applications (cont.)
– Covert channel types (cont.)
• Timing channel: observe timings in an
application to determine what is happening
in the application
• Countermeasures
– Careful software analysis, good software
engineering
– Newer versions of firewall
CISSP Guide to Security Essentials
23
Threats to Applications (cont.)
• Side channel attack
– An attack on a cryptosystem based upon
physical information gained from the system
– Examples: timing, power consumption, emanations,
and even sounds
CISSP Guide to Security Essentials
24
Threats to Applications (cont.)
• Countermeasures
– Limit release of information through
shielding and other means
CISSP Guide to Security Essentials
25
Threats to Applications (cont.)
• Malicious software
– Types: viruses, worms, Trojan horses, rootkits,
bots, spam, pharming, spyware, key loggers
– Purpose
• Steal, corrupt, or destroy information
• Remote control
• Denial of service
CISSP Guide to Security Essentials
26
Threats to Applications (cont.)
• Types of malware
– Virus: human assisted replication, embed in
programs, files, master boot records
– Worm: self replicating, scan for victims,
rapid spread
– Trojan horse: claims one function,
but is malware
CISSP Guide to Security Essentials
27
Threats to Applications (cont.)
• Types of malware (cont.)
– Rootkit: hide within or beneath the
operating system
– Bot: remote control zombie
– Spam: unsolicited e-mail
CISSP Guide to Security Essentials
28
Threats to Applications (cont.)
• Types of malware (cont.)
– Pharming: attack on DNS to redirect traffic
to decoy application
– Spyware: collect information about usage,
forward to central server
– Key logger: logs keystrokes and mouse
movements, forwards to central server
CISSP Guide to Security Essentials
29
Threats to Applications (cont.)
• Malware countermeasures
–
–
–
–
Anti-malware
Patches
Firewalls and application firewalls
Hardened systems
CISSP Guide to Security Essentials
30
Threats to Applications (cont.)
• Malware countermeasures (cont.)
– Intrusion detection systems
– Decreased privilege levels
– Penetration testing
CISSP Guide to Security Essentials
31
Threats to Applications (cont.)
• Input attacks
–
–
–
–
Buffer overflow
Script injection
Cross site scripting
Cross site request forgery
CISSP Guide to Security Essentials
32
Threats to Applications (cont.)
• Countermeasures
– Input field filtering, application firewall,
application vulnerability scanning, software
developer training
CISSP Guide to Security Essentials
33
Threats to Applications (cont.)
• Object reuse
– Use of a resource belonging to another
process, including:
• Memory, databases, file systems, temporary
files, and paging space
CISSP Guide to Security Essentials
34
Threats to Applications (cont.)
• Object reuse countermeasures
– Application isolation
– Server virtualization
– Developer training
CISSP Guide to Security Essentials
35
Threats to Applications (cont.)
• Mobile code
– Executable code, active content, downloadable
content
– Examples: active website content, downloaded
programs
– Some is desired, but some is malicious in nature
CISSP Guide to Security Essentials
36
Threats to Applications (cont.)
• Mobile code countermeasures
– Anti-malware, mobile code access controls
– Reduced user privileges
CISSP Guide to Security Essentials
37
Threats to Applications (cont.)
• Social engineering
– Attack on personnel to gain secrets
– People are vulnerable because they want
to help
• Social engineering countermeasures
– Security awareness training that includes
accountability
CISSP Guide to Security Essentials
38
Threats to Applications (cont.)
• Time of check / time of use (TOCTOU)
– Also known as a “race condition”
– Defect in resource allocation and management
controls
– Possible exploitation to cause harm or steal data
CISSP Guide to Security Essentials
39
Threats to Applications (cont.)
• TOCTOU countermeasures
– Reviews of resource allocation controls
– Improve privacy of communications
CISSP Guide to Security Essentials
40
Threats to Applications (cont.)
• Back door / maintenance hook
– Access holes deliberately planted by a developer
• To facilitate easier testing during development
• To facilitate production access
• To facilitate a break-in
CISSP Guide to Security Essentials
41
Threats to Applications (cont.)
• Back door countermeasures
– Code reviews
– Source code control
CISSP Guide to Security Essentials
42
Threats to Applications (cont.)
• Logic bombs
– Deliberate malfunction that causes harm
– Time bombs
• Malfunction on a given date and time
– Event bombs
• Malfunction on a specific event
CISSP Guide to Security Essentials
43
Threats to Applications (cont.)
• Logic bomb countermeasures
– Software source code review, external audits
CISSP Guide to Security Essentials
44
Security in the Software
Development Life Cycle (SDLC)
• SDLC
– The entire collection of processes used
to design, develop, test, implement,
and maintain software
CISSP Guide to Security Essentials
45
Security in the Software
Development Life Cycle (cont.)
• Security must be included in each
step of the SDLC
– Conceptual
– Requirements and specifications development
– Application design, coding, and testing
CISSP Guide to Security Essentials
46
Security in the Software
Development Life Cycle (cont.)
• Security in the conceptual stage
–
–
–
–
Presence of sensitive information must be identified
Access controls (users, administrators, third parties)
Regulatory conditions
Security dependencies
CISSP Guide to Security Essentials
47
Security in the Software
Development Life Cycle (cont.)
• Security application requirements and
specifications
– Functional requirements
– Standards
– Security requirements
• Roles, access controls, audit logging, configuration
management
CISSP Guide to Security Essentials
48
Security in the Software
Development Life Cycle (cont.)
• Requirements and specifications (cont.)
– Regulatory requirements
– Test plan a byproduct of requirements
CISSP Guide to Security Essentials
49
Security in the Software
Development Life Cycle (cont.)
• Security in application design
– Adhere to all requirements and specifications
– Published design documents
– Design reviews
• Reviewed by all stakeholders including security
CISSP Guide to Security Essentials
50
Security in the Software
Development Life Cycle (cont.)
• Threat risk modeling
– Identify threats and risks prior to development
• Tool: Microsoft Threat Analysis and Risk
– Possible changes to specs, req’s, or design
CISSP Guide to Security Essentials
51
Security in the Software
Development Life Cycle (cont.)
• Security in application coding
– Develop safe code
•
•
•
•
Free of common vulnerabilities – particularly web apps
Unvalidated input / broken access control
Broken authontication/ scripting attack
Buffer overflow / insecure storage
– Use safe libraries that include safe functions
for input validation
CISSP Guide to Security Essentials
52
Security in the Software
Development Life Cycle (cont.)
• Security in testing
– Testing should verify correct coding of
every requirement and specification
• Tools: WebInspect, AppScan
CISSP Guide to Security Essentials
53
Security in the Software
Development Life Cycle (cont.)
• Protect the SDLC itself
– Source code access control
• Protect source code
• Protect development tools / libraries
• Record version changes
– Protection of software development and testing tools
• Protect from unauthorized modifications
CISSP Guide to Security Essentials
54
Security in the Software
Development Life Cycle (cont.)
• Protect SDLC (cont.)
– Protection of software development systems
• Prevent introduction of malware, back doors,
logic bombs
CISSP Guide to Security Essentials
55
Application Environment and
Security Controls
• Controls that must be present in a
developed application
– Authentication
• Limiting access to only legitimate, approved users
• Own authentication / enterprise wide LDAP, Active Dir
– Authorization
• Limiting access only to approved functions
and data
• Thousands of functions / thousands of users
CISSP Guide to Security Essentials
56
Application Environment and
Security Controls (cont.)
• Controls (cont.)
– Role-based Access Control
• Based on job description / job code
– Audit logging
• Logging of all actions in the application
– Date/time, user, user’s location
– Event name
– Relevant data
– Audit log protection
CISSP Guide to Security Essentials
57
Database Architectures
• Various databases – SQL Server, Oracle, DB2,
Sybase, etc
• Hierarchical databases: tree structure ,
Internet’s DNS, legacy
• Network databases: complex tree
structure, legacy
• Object databases: OO, methods stored
with data
CISSP Guide to Security Essentials
58
Database Architectures (cont.)
• Distributed databases: physically
distributed, any type
• Relational databases (RDBMS): in
widest use today
– Structure is defined by schema
– Data modular tools are used to create schema
– Oracle, SQL Server, DB2, MySQL, etc.
CISSP Guide to Security Essentials
59
Database Transactions
•
•
•
•
Records retrieval
Records update
Records creation
Nested or complex transactions executed
as a unit
– Begin work… <transactions> …end work
CISSP Guide to Security Essentials
60
Database Security Controls
• Access controls
– Userids, passwords
– Table / row / field level access control
– Read-only or read/write
CISSP Guide to Security Essentials
61
Database Security Controls
• Views
– Virtual tables that are a subset of individual
tables, or a “join” between tables
– Permission given to views just like
“real” tables
CISSP Guide to Security Essentials
62
Summary
• Types of applications: agents, applets,
client-server, distributed, web
• Application language types: control
flow, structured, object oriented,
knowledge based
CISSP Guide to Security Essentials
63
Summary (cont.)
• Reasons for threats to applications:
industrial espionage, vandalism and
disruption, denial of service,
political / religious
CISSP Guide to Security Essentials
64
Summary (cont.)
• Types of threats
– buffer overflow, covert channel, side channel,
malware, input attacks, object reuse, mobile
code, social engineering, TOCTOU, back
door, logic bomb
CISSP Guide to Security Essentials
65
Summary (cont.)
• Software development life cycle (SDLC)
steps
– Conceptual, requirements / specifications, design,
coding, testing, maintenance
– Source code control, configuration management
• Application environment security controls
– Authentication, access control, audit logging
CISSP Guide to Security Essentials
66
Summary (cont.)
• Types of databases
– Hierarchical, network, distributed, object-oriented,
relational (most common)
• Database security controls: userid,
access control, audit logging, views
CISSP Guide to Security Essentials
67
Descargar

CISSP Guide to Security Essentials, Ch4