1 / 19

Topic 8: Application Security

This topic covers the objectives of application security in software development, including the concepts, programming languages, and software protection methods. It also explores various threats and malware that can affect software systems.

sophiec
Download Presentation

Topic 8: Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ISA 562Internet Security Theory & Practice Topic 8: Application Security

  2. Objectives Software security controls Viruses, bombs, malicious software …etc Software Development life cycle 2

  3. Introduction Security concepts that apply during the software development, operation and maintenance process Platform environment be based on a layered approach, beginning with the end user at the top Operating system and application software consists of relatively complex computer programs. 3

  4. Programming Concepts Programming languages generations 4

  5. Programming Concepts • Programming languages examples • C, C++, Java, COBOL, etc • Web based programming • HTML, XML , Active X, Java Script, etc • Programming utilities and requirements • Assembler: translates assembly to machine language • Compiler: translates high-level source code to machine language • Interpreter: translates it statement-by-statement • Programming models • System Model • Von Neumann Architecture • Object Oriented Programming • Inheritance • Polymorphism • Polyinstantiation • Distributed Component Object Model ( DCOM ) • Common Object Request Broker Architecture ( CORBA ) 5

  6. Threats and Malware • Major threats and malware • Denial of Service & Distributed DOS • Buffer Overflow • SQL Injection • Man-in-the-middle • Unicode attack • Cache Poisoning • Time of Check/Time of use • Garbage Reuse • Trap Door • Web Applets • Dynamic Email • Cross-site Scripting • Social Engineering • Etc ( for more read book and go to www.owasp.org ) 6

  7. Threats and Malware • Virus • The ability to reproduce and spread with a required action by the user • Some types include • File Infector, Boot Sector, Email Virus, Macro, Etc • Some Anti-Detection methods in viruses • Stealth • Tunneling • Polymorphism 7

  8. Threats and Malware: Example Old Viruses • 1982 --- Elk Cloner, widely credited with being the first virus to appear "in the wild" (outside a lab), infects Apple II machines. • 1983 ---The term "computer virus"is coined by Fred Cohen, an early virus researcher. He will later formally define the term in his dissertation as "a program that can 'infect' other programs by modifying them to include a possibly evolved version of itself.“ • 1986 --- Brain.The Brain boot sector virus bursts forth on the scene, spreading upon reboot via a floppy disk left in the A: drive. In addition to being the first PC virus, it's the first stealth virus -- infected disks appear to have uninfected boot sectors. • 1987 --- Lehigh. The Lehigh virus is discovered at Lehigh University. It's a memory-resident virus and the first to infect an executable file, COMMAND.COM. 8

  9. Threats and Malware: Newer Virus Examples • 2001 ---Sircam, Code Red, Nimda and Bad Trans • 2002--- Melissa AuthorSentenced Celebrity-Named Viruses, David L. Smith,the convicted author of the Melissa virus, is sentenced to 20 months in a federal prison • 2003 ---SQL Slammer, Blaster, Sobig.F and Sober • 2004 ---Bagle, MyDoom, Sasser, Witty and Santy • 2005--- Zotob.It's an Internet Relay Chat-based worm, providing back doors to a remote IRC channel and seeking new targets by looking for unpatched Plug-n-Play modules. • 2006 ---Trojans, Bots. Microsoft announces that back-door Trojans and bots are the biggest threat to PC users today. Of 5.7 million PCs running Microsoft's Malicious Software Removal Tool (MSRT), 62 percent had at least one Trojan. 9

  10. Threats and Malware • Worm • Reproduces and spreads, like a virus an unlike other forms of malware. • Uses loopholes in systems • Trojan Horse • Program that pretends to do one thing while performing another unwanted action • Logic Bomb • Generally implanted in or coded as part of an application under development or maintenance • Data Diddler • Payload in a Trojan or virus that deliberately corrupts data, generally by small increments over time. • Backdoor and Trapdoor • Implemented intentionally in development or by error usually by insider 10

  11. Threats and Malware • Remote Access Trojan (RAT) • Remote administration tools in order to convey a sense of legitimacy • Other Threats: • Pranks, Spyware, BotNets, Phishing etc. • For more read book and go to http://www.techweb.com/showArticle.jhtml?articleID=160200003 ) 11

  12. Software Protection Project Management based methodology of a System Development life Cycle: 12

  13. Software Protection • System Life cycle • Proper media Destruction or sanitization should be done • Software Development Methods • There are several methods that have evolved the following are some of the methods: • Spiral • Waterfall • Computer Aided Software Engineering (CASE) • Rapid Application Development • Prototyping, etc 13

  14. Audit Assurance Mechanisms • Assurance is important in system and application development • Mechanisms • Integrity of information • Information Auditing • Malware Assurance • Effective and workable policies are one of the best protections against malware of all kinds. • Change Management • Proper change management process is vital to continued software assurance 14

  15. Audit Assurance Mechanisms • Testing • Purpose is to find problems before the change is implemented • Address all normal and unexpected entries • Privacy is an important issue in testing • Configuration Management • Monitor and manage changes to application programs, documentation, hardware • Patch Management • Problems in patch management like: • Patch Failure • Patch rollback • Distributed System Failures 15

  16. Database and Warehousing Environment • Database Environment • Developed to manage information from many sources in one location • Provides • Transaction Persistence • Fault Tolerance and Recovery • Sharing by multiple Users • Security Controls • Many DBMS Models such as • Hierarchical, Network • Relational, Object-oriented 16

  17. Web Application Environment • Web Site Incidents • Denial of Service & Distributed DOS • Financial fraud • Vandalism, etc • Web Site Hacks • Majority of hacks at the application level • Session management • Input validation, etc 17

  18. Web Application Environment • Web Application Security Principles • Fail Safe and Fail Secure • Defense in depth • Do not cache secure pages • Do not trust any data from the client • Etc ( rest is in the book) 18

  19. References ISC2 CBK Material ISC2 Official CISSP Exam book 19

More Related