lec 1 Secure.pdf

Full Transcript

1
 Introduction to Secure Software Development

What is secure software?

The main objective of software security

The key elements of a secure SDLC process

Threats that target software

Attack Paths

Potential impacts of successful attacks

2
Introduction to Secure Software
Development

3
Main Purpose

The main purpose of secure software development the life cycle is

to arm developers, integrators, and testers with the information

they need to incorporate security considerations and principles

into the practices and processes they use to produce software,

and thereby increase the likelihood that the resulting software will

be secure.

4
Main Purpose
The principles and practices identified in this course can inform
the use of a variety of frameworks, models, and standards that
provide the infrastructure for repeatable processes and
continuous process improvement and capability Maturity Model
Integration. To support the integration of assurance considerations
in the development lifecycle and other secure system and
software engineering models and experiences.

5
Intended Software Practitioners

3. Programmers
Requirements 2. Architects and
(also known as
analysts designers
“coders”)

4. Software
5. Testers 6. Maintainers
integrators

8. Security experts
7. Software 9. Software project
assigned to work
configuration technical
with software
managers leads/managers.
development

Intended Software Practitioners

6
WHAT IS SECURE SOFTWARE?

Cannot correctly authenticate its users

Control access to its resources

Validate digital signatures

Exploitable weaknesses that can be used to
bypass or compromise vulnerabilities

7
WHAT IS SECURE SOFTWARE?

Dependable software executes predictably and operates
correctly under all conditions including when the software
Dependa comes under attack or runs on a malicious host.
bility

the software must contain no malicious logic that causes it to
Trustwort behave in a malicious manner.
hiness

recover as quickly as possible, and with as little damage as
Survivabil possible, from those attacks that it can neither resist nor
ity tolerate.

Secure software must exhibit three main properties

8
Factors influence software security

Development principles and practices

Practitioner knowledge: The level of
security awareness and knowledge of the
Development tools
software’s analysts, designers, developers,
testers, and maintainers.

Acquired components: commercial-off-the-
Execution environment: its underlying and shelf (COTS) and open source software
surrounding execution environment. (OSS) components were evaluated, selected,
and integrated.

Deployment configuration: How the software
was configured during its installation.

9
Software is subject to threats at various points in its life cycle

During development (mainly insider
threats):
A developer may corrupt the software intentionally or
unintentionally in ways that will compromise that
software's dependability and trustworthiness when it is
operational.

During deployment (mainly insider threats):

software’s installer may fail to “lock down” the host
platform, and may configure the software insecurely.
The user organization may not only fail to apply
necessary patches and updates, but may fail to upgrade
to newer, supported versions of the software.

10
Software is subject to threats at various points in its life cycle

During operation (both insider and outsider
threats)
Any software system that runs on a network-connected platform
will have its vulnerabilities exposed during its operation.
Depending on whether the network is public or private, Internet-
connected or not,
Potential threats from malicious insiders (users, administrators,
etc.)

During sustainment (mainly insider threats):

Those responsible for addressing discovered vulnerabilities in
released software fail to issue patches or updates in a timely
manner to correct those vulnerabilities.
Moreover, they fail to seek out and eliminate the root causes of the
vulnerabilities to prevent their perpetuation in future releases of the
software

11
The key elements of a secure SDLC process

Secure software Adequate
Security criteria in Adequate
principles and architecture and
SDLC checkpoints requirements
practices design

Secure software Secure distribution
Secure coding Security testing
integration and deployment

Secure
configuration Security-
Secure Supportive
management knowledgeable
sustainment development tools
systems and developers
processes

Secure project
management and
upper management
commitment

12
Threats that target software
Threat

is any actor, agent, circumstance, or event that has the potential to cause harm
to that system or to the data or resources to which the system has or enables
access.

Threats can be categorized according to their intentionality: they can be
Unintentional
Intentional but non-malicious
Intentional but malicious
- only malicious threats are realized by attacks.
- The majority of attacks against software take advantage of, or exploit,
some vulnerability or weakness in that software
- for this reason, “attack” is often used interchangeably with “exploit.
Attack

referring to the action against the targeted software.

Exploit

referring to the mechanism (e.g., a technique or malicious code) by which that action is
13
Threats that target software (Unintentional)

Development

Programmer ignorant of secure coding practices.
writes a C module that makes unsafe library calls.

Deployment

Administrator accidentally assigns “world” write permissions to the
directory in which the software will be installed.

Operation

User is able to enter overlong input because the HTML input form did not
validate and truncate the excess characters.

14
Threats that target software
(Intentional but not malicious)

Development

Programmer pressured by management to deliver source code
under a tight deadline foregoes security code review.

Deployment

Administrator assigns “root” privileges to a software program that
was implemented in such a way that it can only run as root.

Operation

Frustrated user repeatedly refreshes and resubmits the same input
data to an application that was not designed to return an
acknowledgement that the user’s input data had been received.

15
Threats that target software
(Intentional and malicious)

Development

Programmer intentionally includes three exploitable flaws and a backdoor in his
source code.

Deployment

Installer leaves the application’s default password unchanged to make life
easier for attacker with whom she is colluding.
Administrator intentionally configures the application firewall to allow inbound
Uniform Resource Locators (URLs) that contain executable content.

Operation

Attacker launches a Structured Query Language (SQL) injection attack against
a Web-based database application.
Developer submits a predefined data string to a Web application that he knows
will trigger execution of the logic bomb he planted in that application.

16
Threats that target software
(Indirect attacks)
Not all attacks directly target the software itself.
Targets for indirect attacks can leave the software vulnerable to direct attack
Target Attack and objective
Software boundary or Intentional triggering of an external fault (e.g., in an
“surface” interface mechanism) at the software boundary (or surface)
Execution environment Intentional changes of execution environment state from
correct/expected to incorrect/unexpected can result in a
misbehavior by the software;
Trigger for malicious code Various events may trigger the execution of malicious code
such as:
- time bombs, logic bombs, and Trojan horses
- a particular file being opened or closed,
- a certain parameter value being received.
External services - Most software today relies on other software services to
perform functions on its behalf, such as authentication,
code signatures or application firewalls.
- Failure of external protections may leave the software
vulnerable to direct attack
17
Threats
hreats that
thattarget
target software
software
(Types of input data in order to deliver malicious payloads)
Command line parameters

Environment variables

Universal Resource Locators (URLs)

Other filename references

Uploaded file content

Flat file imports

Hyper Text Transfer Protocol (HTTP) headers

HTTP GET parameters

Form fields (especially hidden fields)

Selection lists, drop-down lists

Cookies

Java applet communications
18
Attack Paths
Network elements

such as the network services and Transmission Control Protocol
ports used to enable communications by or with the targeted system, or
network
security devices relied on to block or filter undesirable input before it
reaches the system;

Software elements of the system itself (application-
level and middleware-level),
including software services, application programmatic interfaces (APIs),
remote
procedure calls (RPCs), third-party software components, or embedded
back doors, Trojan horses, or malicious code;

Execution environment elements

such as vulnerabilities in the operating system,
runtime system (including any runtime code interpreters), or virtual
machine

An attacker may deliver spurious input or malicious code to
targeted software systems
19
Potential impacts of successful attacks

Unexpected or unauthorized software
execution;

Unauthorized access to the software, the
resources it relies on, or the data it handles;

Unauthorized changes to the software, the
resources it relies on, or the data it handles;

Denial of service (the software itself, its
resources, and/or its data).

The potential impacts of successful attacks on software-intensive
systems and their components

20