Developing Secure Software

Posted by Manish Panchmatia on Saturday, September 26, 2020 Labels: , ,

Terms

  • Vulnerability: Any exploitable weakness to breach confidentiality, integrity, availability 
  • Threat: harm
  • Defect: any error introducing software security vulnerability
  • threat vector: means through which cyber security criminal gain unauthorized access to protected resources. 
  • TPM Trusted Platform Module: secure encryption keys
  • Risk Manifest: Probability and Consequences
  • Requirement level threats: 
  • Architectural patterns: E.g. Single point of access 
  • Flaws: design error causing software security vulnerability E.g.: Improper input validation-> SQL injection attacks
  • Bugs: coding error leading to software security vulnerability. They can be avoided by: 
- static and dynamic code analysis
- peer code review
  • Threat Modelling Process TMP
1. identification
2. analysis
3. categorization for priorities
4. mitigation
STRIDE threat model
S: Spoofing identity
T: Tampering with data
R: Repudiation
I: Information disclosure
D: Denial of Service
E: Elevation of privilege

Hardware level threats
1. eavesdropping: hardware key logger
2. man-made disruption: power outage, sabotage
3. natural disaster 
Countermeasures
1. geo-graphically dispersed redundancy
2. UPS
3. Physical security

Secure design 
1. Security Tactics.
- Detect Attacks
- Resist Attacks
- React to Attacks
- Recover from Attacks
2. Security Patterns. Two Types 
- Design Patterns
- Architectural Patterns
Design patterns become Architectural patterns when applied consistently
3. Security Vulnerability
- CVE DB maintained by MITRE: Product specific details
- CWE: Category of CVE: Useful insights about what can go wrong. 
4. Architectural Analysis for Security AAFS Three phases
- ToAA Tactic-Oriented Architectural Analysis
- PoAA Pattern-Oriented Architectural Analysis
- VoAA Vulnerability-Oriented Architectural Analysis: Code inspection
5. Software Security Anti-Patterns
- unrestricted upload of files
- unrestricted path traversal
- hardcoded password

Secure Coding
1. Buffer overflow attacks due to Lack of user input validation
- automatic bounds checking
- built in language specific library model for safe buffer handling
- code scanner
- advanced compiler
- OS support
2. broken authentication and session management
- Software Framework 
- Standard Application Security Verification Standard ASVS V2(Authentication) and V3(Session Management) by OWSAP
3. Insecure Direct Object Reference
4. Exposing sensitive data
5. Access Control
- Identification
- Authentication
- Authorization
6. Input Validation
- Buffer overflow
- SQL injection
- Cross site scripting XSS
Intercepting validation security pattern

Testing for security
1. Static Analysis
2. Dynamic Analysis
- HCL AppScan
- Nikto2
- Qualys
3. Penetration Testing (Ethical Hacking)
- Kali Linux
4. Vulnerability Management Tools
- Nessus uses CVSS Common Vulnerability Scoring System

Recent Development and Future Directions
1. DevOps
2. DevSecOps https://www.redhat.com/en/topics/devops/what-is-devsecops
3. Cloud Security
- Hypervisor vulnerability
- Cloud Service Provider access physical machines
4. Developer friendly security tools and training
5. IoT and software security
6. Rules and Regulations
- GDPR General Data Protection Regulations. Compliance expectations 
-- Data controller
-- Data Producer
- HIPAA Health Insurance Portability and Accountability Act 
- PCI DSS Payment Card Industry Data Security Standard
7. Certification
- Global Information Assurance Certification GIAC
- The International Council of Electronic Commerce Consultants (EC-Council): Certified Application Security Engineer (CASE)
- International Information System Security Certification Consortium (ISC Square)
(1) Certified Information System Security Professional CISSP 
(2) Certified Secure Software Lifecycle Professional CSSLP 

0 comments:

Post a Comment