lec 1 Secure.pdf
Document Details
Uploaded by GaloreCosine
Full Transcript
1 Introduction to Secure Software Development What is secure software? The main objective of software security The key elements of a secure SDLC process Threats that target software Attack Paths Potential impacts of successful attacks 2 Introductio...
1 Introduction to Secure Software Development What is secure software? The main objective of software security The key elements of a secure SDLC process Threats that target software Attack Paths Potential impacts of successful attacks 2 Introduction to Secure Software Development 3 Main Purpose The main purpose of secure software development the life cycle is to arm developers, integrators, and testers with the information they need to incorporate security considerations and principles into the practices and processes they use to produce software, and thereby increase the likelihood that the resulting software will be secure. 4 Main Purpose The principles and practices identified in this course can inform the use of a variety of frameworks, models, and standards that provide the infrastructure for repeatable processes and continuous process improvement and capability Maturity Model Integration. To support the integration of assurance considerations in the development lifecycle and other secure system and software engineering models and experiences. 5 Intended Software Practitioners 3. Programmers Requirements 2. Architects and (also known as analysts designers “coders”) 4. Software 5. Testers 6. Maintainers integrators 8. Security experts 7. Software 9. Software project assigned to work configuration technical with software managers leads/managers. development Intended Software Practitioners 6 WHAT IS SECURE SOFTWARE? Cannot correctly authenticate its users Control access to its resources Validate digital signatures Exploitable weaknesses that can be used to bypass or compromise vulnerabilities 7 WHAT IS SECURE SOFTWARE? Dependable software executes predictably and operates correctly under all conditions including when the software Dependa comes under attack or runs on a malicious host. bility the software must contain no malicious logic that causes it to Trustwort behave in a malicious manner. hiness recover as quickly as possible, and with as little damage as Survivabil possible, from those attacks that it can neither resist nor ity tolerate. Secure software must exhibit three main properties 8 Factors influence software security Development principles and practices Practitioner knowledge: The level of security awareness and knowledge of the Development tools software’s analysts, designers, developers, testers, and maintainers. Acquired components: commercial-off-the- Execution environment: its underlying and shelf (COTS) and open source software surrounding execution environment. (OSS) components were evaluated, selected, and integrated. Deployment configuration: How the software was configured during its installation. 9 Software is subject to threats at various points in its life cycle During development (mainly insider threats): A developer may corrupt the software intentionally or unintentionally in ways that will compromise that software's dependability and trustworthiness when it is operational. During deployment (mainly insider threats): software’s installer may fail to “lock down” the host platform, and may configure the software insecurely. The user organization may not only fail to apply necessary patches and updates, but may fail to upgrade to newer, supported versions of the software. 10 Software is subject to threats at various points in its life cycle During operation (both insider and outsider threats) Any software system that runs on a network-connected platform will have its vulnerabilities exposed during its operation. Depending on whether the network is public or private, Internet- connected or not, Potential threats from malicious insiders (users, administrators, etc.) During sustainment (mainly insider threats): Those responsible for addressing discovered vulnerabilities in released software fail to issue patches or updates in a timely manner to correct those vulnerabilities. Moreover, they fail to seek out and eliminate the root causes of the vulnerabilities to prevent their perpetuation in future releases of the software 11 The key elements of a secure SDLC process Secure software Adequate Security criteria in Adequate principles and architecture and SDLC checkpoints requirements practices design Secure software Secure distribution Secure coding Security testing integration and deployment Secure configuration Security- Secure Supportive management knowledgeable sustainment development tools systems and developers processes Secure project management and upper management commitment 12 Threats that target software Threat is any actor, agent, circumstance, or event that has the potential to cause harm to that system or to the data or resources to which the system has or enables access. Threats can be categorized according to their intentionality: they can be Unintentional Intentional but non-malicious Intentional but malicious - only malicious threats are realized by attacks. - The majority of attacks against software take advantage of, or exploit, some vulnerability or weakness in that software - for this reason, “attack” is often used interchangeably with “exploit. Attack referring to the action against the targeted software. Exploit referring to the mechanism (e.g., a technique or malicious code) by which that action is 13 Threats that target software (Unintentional) Development Programmer ignorant of secure coding practices. writes a C module that makes unsafe library calls. Deployment Administrator accidentally assigns “world” write permissions to the directory in which the software will be installed. Operation User is able to enter overlong input because the HTML input form did not validate and truncate the excess characters. 14 Threats that target software (Intentional but not malicious) Development Programmer pressured by management to deliver source code under a tight deadline foregoes security code review. Deployment Administrator assigns “root” privileges to a software program that was implemented in such a way that it can only run as root. Operation Frustrated user repeatedly refreshes and resubmits the same input data to an application that was not designed to return an acknowledgement that the user’s input data had been received. 15 Threats that target software (Intentional and malicious) Development Programmer intentionally includes three exploitable flaws and a backdoor in his source code. Deployment Installer leaves the application’s default password unchanged to make life easier for attacker with whom she is colluding. Administrator intentionally configures the application firewall to allow inbound Uniform Resource Locators (URLs) that contain executable content. Operation Attacker launches a Structured Query Language (SQL) injection attack against a Web-based database application. Developer submits a predefined data string to a Web application that he knows will trigger execution of the logic bomb he planted in that application. 16 Threats that target software (Indirect attacks) Not all attacks directly target the software itself. Targets for indirect attacks can leave the software vulnerable to direct attack Target Attack and objective Software boundary or Intentional triggering of an external fault (e.g., in an “surface” interface mechanism) at the software boundary (or surface) Execution environment Intentional changes of execution environment state from correct/expected to incorrect/unexpected can result in a misbehavior by the software; Trigger for malicious code Various events may trigger the execution of malicious code such as: - time bombs, logic bombs, and Trojan horses - a particular file being opened or closed, - a certain parameter value being received. External services - Most software today relies on other software services to perform functions on its behalf, such as authentication, code signatures or application firewalls. - Failure of external protections may leave the software vulnerable to direct attack 17 Threats hreats that thattarget target software software (Types of input data in order to deliver malicious payloads) Command line parameters Environment variables Universal Resource Locators (URLs) Other filename references Uploaded file content Flat file imports Hyper Text Transfer Protocol (HTTP) headers HTTP GET parameters Form fields (especially hidden fields) Selection lists, drop-down lists Cookies Java applet communications 18 Attack Paths Network elements such as the network services and Transmission Control Protocol ports used to enable communications by or with the targeted system, or network security devices relied on to block or filter undesirable input before it reaches the system; Software elements of the system itself (application- level and middleware-level), including software services, application programmatic interfaces (APIs), remote procedure calls (RPCs), third-party software components, or embedded back doors, Trojan horses, or malicious code; Execution environment elements such as vulnerabilities in the operating system, runtime system (including any runtime code interpreters), or virtual machine An attacker may deliver spurious input or malicious code to targeted software systems 19 Potential impacts of successful attacks Unexpected or unauthorized software execution; Unauthorized access to the software, the resources it relies on, or the data it handles; Unauthorized changes to the software, the resources it relies on, or the data it handles; Denial of service (the software itself, its resources, and/or its data). The potential impacts of successful attacks on software-intensive systems and their components 20