1 / 67

Application Security

Application Security. CISSP Guide to Security Essentials Chapter 3. Objectives. Types of applications Application models and technologies Application threats and countermeasures Security in the software development life cycle. Objectives (cont.). Application security controls

ofira
Download Presentation

Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Application Security CISSP Guide to Security Essentials Chapter 3

  2. Objectives • Types of applications • Application models and technologies • Application threats and countermeasures • Security in the software development life cycle CISSP Guide to Security Essentials

  3. Objectives (cont.) • Application security controls • Databases and data warehouses CISSP Guide to Security Essentials

  4. Types of Applications • Agents • Standalone programs that are part of a larger application • Examples: • Anti-virus • Patch management • Configuration management CISSP Guide to Security Essentials

  5. Types of Applications (cont.) • Applets • Software programs that run within the context of another program • Example: media players within browser CISSP Guide to Security Essentials

  6. Types of Applications (cont.) • Client-server • Separate programs on clients and servers communicate via networks and work together • Few developed now but many are in use CISSP Guide to Security Essentials

  7. Types of Applications (cont.) • Distributed • Software components run on several systems • Two-tier, three-tier, multi-tier • Reasons: scalability, performance, geographical CISSP Guide to Security Essentials

  8. Types of Applications (cont.) • Web • Web browser as client, application server back-end • Client software nearly universal • Application software centralized CISSP Guide to Security Essentials

  9. Application Models and Technologies • Control flow languages • Structured languages • Object oriented languages • Knowledge based languages CISSP Guide to Security Essentials

  10. Control Flow Languages • Linear, sequential • Use of “if – then – else” • Branching with “go to” • Examples: • BASIC, COBOL, Cold Fusion, FORTRAN, Perl, PHP, Python, VBScript CISSP Guide to Security Essentials

  11. Structured Languages • Nested, heavy use of subroutines and functions • Little or no “go to” • Examples: • C • Pascal CISSP Guide to Security Essentials

  12. Object Oriented Languages • Utilize concepts of object programming • Classes, objects, instances, and inheritance • Methods, instantiations • Encapsulation, abstraction, polymorphism • Examples • C++, Java, Ruby, Simula, Smalltalk CISSP Guide to Security Essentials

  13. Knowledge Based Applications • Neural networks • Modeled after biological reasoning processes • Artificial neurons that store pieces of information • Given cases about situations and outcomes, can predict future outcomes CISSP Guide to Security Essentials

  14. Knowledge Based Applications (cont.) • Expert systems • Inference engine and knowledge base of past situations and outcomes CISSP Guide to Security Essentials

  15. Threats to Applications • Reasons for attacks • Industrial espionage • Vandalism and disruption • Denial of service • Political / religious CISSP Guide to Security Essentials

  16. Threats to Applications (cont.) • Buffer overflow attacks • Disrupt a software application by providing more data to the application than it was designed to handle CISSP Guide to Security Essentials

  17. Threats to Applications (cont.) • Buffer overflow attacks (cont.) • Types • Stack buffer overflow • NOP sled attack • Heap overflow • Jump to register attack CISSP Guide to Security Essentials

  18. In Java • Instance variables and Objects lie on Heap. • Local variables and methods lie on the Stack. So if we have a main method which calls the go() method which calls the gone() method then the stack from top to bottom would consist of CISSP Guide to Security Essentials

  19. gone() • go() • main() CISSP Guide to Security Essentials

  20. CISSP Guide to Security Essentials

  21. Threats to Applications (cont.) • Examples: Morris worm, ping of death, code red worm • Buffer overflow attack countermeasures • Use safe languages and libraries • Executable space protection • Stack smashing protection • Application firewalls CISSP Guide to Security Essentials

  22. Threats to Applications (cont.) • Covert channel • Unintended and hidden channel of communications • Types: • Covert storage channel: read a storage location and learn about the application or other data CISSP Guide to Security Essentials

  23. Threats to Applications (cont.) • Covert channel types (cont.) • Timing channel: observe timings in an application to determine what is happening in the application • Countermeasures • Careful software analysis, good software engineering • Newer versions of firewall CISSP Guide to Security Essentials

  24. Threats to Applications (cont.) • Side channel attack • An attack on a cryptosystem based upon physical information gained from the system • Examples: timing, power consumption, emanations, and even sounds CISSP Guide to Security Essentials

  25. Threats to Applications (cont.) • Countermeasures • Limit release of information through shielding and other means CISSP Guide to Security Essentials

  26. Threats to Applications (cont.) • Malicious software • Types: viruses, worms, Trojan horses, rootkits, bots, spam, pharming, spyware, key loggers • Purpose • Steal, corrupt, or destroy information • Remote control • Denial of service CISSP Guide to Security Essentials

  27. Threats to Applications (cont.) • Types of malware • Virus: human assisted replication, embed in programs, files, master boot records • Worm: self replicating, scan for victims, rapid spread • Trojan horse: claims one function, but is malware CISSP Guide to Security Essentials

  28. Threats to Applications (cont.) • Types of malware (cont.) • Rootkit: hide within or beneath the operating system • Bot: remote control zombie • Spam: unsolicited e-mail CISSP Guide to Security Essentials

  29. Threats to Applications (cont.) • Types of malware (cont.) • Pharming: attack on DNS to redirect traffic to decoy application • Spyware: collect information about usage, forward to central server • Key logger: logs keystrokes and mouse movements, forwards to central server CISSP Guide to Security Essentials

  30. Threats to Applications (cont.) • Malware countermeasures • Anti-malware • Patches • Firewalls and application firewalls • Hardened systems CISSP Guide to Security Essentials

  31. Threats to Applications (cont.) • Malware countermeasures (cont.) • Intrusion detection systems • Decreased privilege levels • Penetration testing CISSP Guide to Security Essentials

  32. Threats to Applications (cont.) • Input attacks • Buffer overflow • Script injection • Cross site scripting • Cross site request forgery CISSP Guide to Security Essentials

  33. Threats to Applications (cont.) • Countermeasures • Input field filtering, application firewall, application vulnerability scanning, software developer training CISSP Guide to Security Essentials

  34. Threats to Applications (cont.) • Object reuse • Use of a resource belonging to another process, including: • Memory, databases, file systems, temporary files, and paging space CISSP Guide to Security Essentials

  35. Threats to Applications (cont.) • Object reuse countermeasures • Application isolation • Server virtualization • Developer training CISSP Guide to Security Essentials

  36. Threats to Applications (cont.) • Mobile code • Executable code, active content, downloadable content • Examples: active website content, downloaded programs • Some is desired, but some is malicious in nature CISSP Guide to Security Essentials

  37. Threats to Applications (cont.) • Mobile code countermeasures • Anti-malware, mobile code access controls • Reduced user privileges CISSP Guide to Security Essentials

  38. Threats to Applications (cont.) • Social engineering • Attack on personnel to gain secrets • People are vulnerable because they want to help • Social engineering countermeasures • Security awareness training that includes accountability CISSP Guide to Security Essentials

  39. Threats to Applications (cont.) • Time of check / time of use (TOCTOU) • Also known as a “race condition” • Defect in resource allocation and management controls • Possible exploitation to cause harm or steal data CISSP Guide to Security Essentials

  40. Threats to Applications (cont.) • TOCTOU countermeasures • Reviews of resource allocation controls • Improve privacy of communications CISSP Guide to Security Essentials

  41. Threats to Applications (cont.) • Back door / maintenance hook • Access holes deliberately planted by a developer • To facilitate easier testing during development • To facilitate production access • To facilitate a break-in CISSP Guide to Security Essentials

  42. Threats to Applications (cont.) • Back door countermeasures • Code reviews • Source code control CISSP Guide to Security Essentials

  43. Threats to Applications (cont.) • Logic bombs • Deliberate malfunction that causes harm • Time bombs • Malfunction on a given date and time • Event bombs • Malfunction on a specific event CISSP Guide to Security Essentials

  44. Threats to Applications (cont.) • Logic bomb countermeasures • Software source code review, external audits CISSP Guide to Security Essentials

  45. Security in the Software Development Life Cycle (SDLC) • SDLC • The entire collection of processes used to design, develop, test, implement, and maintain software CISSP Guide to Security Essentials

  46. Security in the Software Development Life Cycle (cont.) • Security must be included in each step of the SDLC • Conceptual • Requirements and specifications development • Application design, coding, and testing CISSP Guide to Security Essentials

  47. Security in the Software Development Life Cycle (cont.) • Security in the conceptual stage • Presence of sensitive information must be identified • Access controls (users, administrators, third parties) • Regulatory conditions • Security dependencies CISSP Guide to Security Essentials

  48. Security in the Software Development Life Cycle (cont.) • Security application requirements and specifications • Functional requirements • Standards • Security requirements • Roles, access controls, audit logging, configuration management CISSP Guide to Security Essentials

  49. Security in the Software Development Life Cycle (cont.) • Requirements and specifications (cont.) • Regulatory requirements • Test plan a byproduct of requirements CISSP Guide to Security Essentials

  50. Security in the Software Development Life Cycle (cont.) • Security in application design • Adhere to all requirements and specifications • Published design documents • Design reviews • Reviewed by all stakeholders including security CISSP Guide to Security Essentials

More Related