SlideShare a Scribd company logo

8. Software Development Security

Sam Bowne, profile picture
Sam Bowne

The document discusses various topics related to software development security including programming concepts, compilers and interpreters, procedural vs object-oriented programming, application development methods like waterfall vs agile, database security concepts, and assessing software vulnerabilities. It provides an overview of machine code, source code, and assembly language. It also describes compilers and interpreters, top-down vs bottom-up programming, open source vs proprietary software, and the software development lifecycle (SDLC) process.

Education
1 of 85
Downloaded 80 times
1
2
3
4
5
6
7
8
9
10
Most read
11
12
13
Most read
14
15
16
Most read
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
CNIT 125: Information Security Professional (CISSP Preparation) Ch 8. Software Development Security
Programming Concepts
Machine Code, Source Code, and Assembly Language • Machine code • Binary language built into CPU • Source code • Human-readable language like C • Assembly Language • Low-level commands one step above machine language • Commands like ADD, SUB, PUSH
Compilers, Interpreters, and Bytecode • Compilers translate source code into machine code • Interpreters translate each line of code into machine code on the fly while the program runs • Bytecode is an intermediary form between source code and machine code, ready to be executed in a Java Virtual Machine
Procedural and Object-Oriented Languages • Procedural languages use subroutines, procedures and functions • Ex: C, FORTRAN • Object-oriented languages define abstract objects • Have attributes and methods • Can inherit properties from parent objects • Ex: C++, Ruby, Python
Metasploit Source Code • Link Ch 9a
Fourth-Generation Programming Languages (4GL) • Automate creation of code
Computer-Aided Software Engineering (CASE) • Programs assist in creation and maintenance of other programs • Three types • Tools: support one task • Workbenches: Integrate several tools • Environments: Support entire process • 4GL, object-oriented languages, and GUIs are used as components of CASE
Top-Down vs. Bottom-Up Programming • Top-Down • Starts with high-level requirements • Common with procedural languages • Bottom-Up • Starts with low-level technical implementation details • Common with object-oriented languages
Types of Publicly Released Software • Closed Source • Source code is confidential • Open Source • Free Software • May cost $0, or be open to modify • Freeware: costs $0 • Shareware: free trial period • Crippleware: limited free version
Software Licensing • Public domain (free to use) • Proprietary software is copyrighted, and sometimes patented • EULA (End User License Agreement) • Open-source licenses • GNU Public License (GPL) • Berkeley Software Distribution (BSD) • Apache
Application Development Methods
Waterfall Model • From 1969 • One-way • No iteration • Unrealistic
Modified Waterfall Model
Sashimi Model • Steps overlap
Agile Software Development • Agile methods include Scrum and Extreme Programming (XP) • Agile Manifesto
Scrum • Stop running the relay race • Doing only one step and handing off the project • Take up rugby • A team goes the distance as a unit
Extreme Programming (XP) • Pairs of programmers work off a detailed specification • Constant communication with fellow programmers and customers
Spiral • Many rounds • Each round is a project; may use waterfall model • Risk analysis performed for each round
8. Software Development Security
Rapid Application Development (RAD) • Goal: quickly meet business needs • Uses prototypes, "dummy" GUIs, and back-end databases
Prototyping • Breaks projects into smaller tasks • Create multiple mockups (prototypes) • Customer sees realistic-looking results long before the final product is completed
SDLC • Systems Development Life Cycle • or Software Development Life Cycle • Security included in every phase • NIST Special Publication 800-14
SDLC Phases • Initiation • Development / Acquisition • Implementation • Operation • Disposal • Security plan should be first step
SDLC Overview • Prepare security plan • Initiation: define need and purpose • Sensitivity Assessment • Development / Acquisition • Determine security requirements and incorporate them into specifications • Implementation • Install controls, security testing, accreditation
SDLC Overview • Operation / Maintenance • Security operations and administration: backups, training, key management, etc. • Audits and monitoring • Disposal • Archiving • Media sanitization
Integrated Product Teams • A customer-focused group that focuses on the entire lifecycle of a project • More agile than traditional hierarchical teams
Software Escrow • Third party archives source code of proprietary software • Source code is revealed if the product is orphaned
Code Repository Security • Like GitHub • Contents must be protected • Developers shouldn't publish code that contains secrets
Security of Application Programming Interfaces (APIs) • API allows apps to use a service, like Facebook • API exploits abuse the API to compromise security
OWASP Enterprise Security API Toolkits
Software Change and Configuration Management • Ensures that changes occur in an orderly fashion, and don't harm security • NIST SP 80-128 describes a Configuration Management Plan (CMP) • Configuration Control Board (CCB) • Configuration Item Identification • Configuration Change Control • Configuration Monitoring
DevOps • Old system had strict separation of duties between developers, quality assurance, and production • DevOps is more agile, with everyone working together in the entire service lifecycle
8. Software Development Security
Databases
Database • Structured collection of data • Databases allow • Queries (searches) • Insertions • Deletions • Database Management Systems (DBMS) • Controls all access to the database • Enforces database security
Database Concepts • Database Administrator (DBA) • Query language • Ex: Structured Query Language (SQL) • Inference attack • Enumerating low-privilege data to find missing items, which must be 
 high-privilege • Aggregation attack • Combining many low-privilege records to deduce high-privilege data
Types of Databases • Relational • Hierarchical • Object-oriented • Flat file • Simple text file
Relational Databases
Relational Database Terms • Tables have rows (records or tuples) and columns (fields or attributes) • Primary Key field is guaranteed to be unique, like a SSN • Foreign key is a field in another table that matched the primary key • Join connects two tables by a matching field
Integrity • Referential Integrity • Foreign keys match primary keys • Semantic Integrity • Field values match data type (no letters in numerical fields) • Entity Integrity • Each tuple has a non-null primary key
8. Software Development Security
Database Normalization • Removes redundant data
Database Views • Contained user interface • Shows only some data and options • Like a PoS (Point of Sale) device
Data Dictionary • Describes the tables • This is metadata -- data about data • Database schema • Describes the attributes and values of the tables
8. Software Development Security
Query Languages • Two subsets of commands • Data Definition Language (DDL) • Data Manipulation Language (DML) • Structured Query Language (SQL) is the most common query language • Many types • MySQL, ANSI SQL (used by Microsoft), PL/SQL (Procedural Language/SQL, used by Oracle), and more
Common SQL Commands • SELECT * FROM Employees WHERE Title = "DETECTIVE"
Hierarchical Databases • A tree, like DNS
Object-Oriented Databases • Combines data and functions in an object-oriented framework • Uses Object Oriented Programming (OOP) • and Object Database Management System (OBMS)
Database Integrity • Mitigate unauthorized data modification • Two users may attempt to change the same record simultaneously • The DBMS attempts to commit an update • If the commit is unsuccessful, the DBMS can rollback and restore from a save point • Database journal logs all transactions
Database Replication and Shadowing • Highly Available (HA) databases • Multiple servers • Multiple copies of tables • Database replication • Mirrors a live database • Original and copy are in use, serving clients • Shadow database • Live backup, not used
Data Warehousing and Data Mining • Data Warehouse • A large collection of data • Terabytes (1000 GB) • Petabytes (1000 TB) • Data Mining • Searching for patterns • Ex: finding credit card fraud
Object-Oriented Design and Programming
Object-Oriented Programming (OOP) • A program is a series of connected objects that communicate via messages • Ex: Java, C++, Smalltalk, Ruby • Objects contain data and methods • Objects provide data hiding • Internal structure not visible from the outside • Also called encapsulation
Object-Oriented Programming Concepts • Objects • Methods • Messages • Inheritance • Delegation • Polymorphism • Polyinstantiation
Example • Addy is an object • It has a method of addition • Input message is "1+2" • Output message is "3"
Delegation and Polymorphism
Polyinstantiation • Multiple records for the same primary key, with different clearance levels
Object Request Brokers (ORBs) • Middleware • Connect programs to other programs • Object search engines • Common ORBs • COM, DCOM, CORBA
COM and DCOM • Component Object Model • Distributed Component Object Model • From Microsoft • Allows objects written in different OOP languages to communicate • Assemble a program by connecting components together like puzzle pieces • Includes ActiveX objects and Object Linking and Embedding (OLE) • COM and DCOM are being supplanted by Microsoft.NET
CORBA • Common Object Request Broker Architecture • Open vendor-neutral framework • Competes with Microsoft's proprietary DCOM • Objects communicate via Interface Definition Language (IDL)
Object-Oriented Analysis (OOA) & Object-Oriented Design (OOD) • Object-Oriented Analysis (OOA) • Analyzes a problem domain • Identifies all objects and interactions • Object-Oriented Design (OOD) • Then develops the solution
8. Software Development Security
8. Software Development Security
Assessing the Effectiveness of Software Security
Software Vulnerabilities • 15-50 errors per 1000 lines of code • Windows Vista has 50 million lines of code
Types of Software Vulnerabilities • Hard-coded credentials • Buffer overflow • SQL injection • Directory path traversal • PHP Remote File Inclusion
Buffer Overflow • Program reserves space for a variable • Ex: name[20] • User submits data that's too long to fit • Data written beyond the reserved space and corrupts memory • Can lead to Remote Code Execution
TOCTOU / Race Conditions • Time of Check/Time of Use (TOCTOU) attacks (also called Race Conditions) • A brief time of vulnerability • Attacker needs to "win the race"
Cross-Site Scripting (XSS) • Insert Javascript into a page • For example, a comment box • The code executes on another user's machine • BeEF (Browser Exploitation Framework) • Allows an attacker to control targets' browsers
Cross-Site Request Forgery (CSRF) • Trick a user into executing an unintended action • With a malicious URL • Or by using a stolen cookie
Privilege Escalation • Vertical escalation • Attacker increases privilege level • To "Administrator", "root", or "SYSTEM" • Horizontal escalation • To another user's account
Backdoor • Shortcut into a system, bypassing security checks like username/password • May be through exploiting a vulnerability • Or a backdoor account left in the system by its developer
Disclosure • Actions taken by a security researcher after finding a software vulnerability • Full Disclosure • Release all details publicly • Responsible Disclosure • Tell vendor privately • Give them time to patch it
Software Capability Maturity Model (CMM) • From Carnegie Mellon • A methodical framework for creating quality software
Five Levels of CMM 1. Initial - ad-hoc & chaotic • Depends on individual effort 2. Repeatable - basic project management 3. Defined • Documented standardized process 4. Managed • Controlled, measured process & quality 5. Optimizing • Continual process improvement
Acceptance Testing • ISTQB (International Software Testing Qualifications Board) has 4 levels • User acceptance test • Operational acceptance test • Contract acceptance testing • Compliance acceptance testing
Security Impact of Acquired Software • Commercial Off-the-Shelf (COTS) Software • Compare vendor claims with third-party research • Consider vendors going out of business, and support • Custom-Developed Third Party Products • Service Level Agreements (SLA) are vital
Artificial Intelligence
Expert Systems • Two components • Knowledge Base • If/then statements • Contain rules that the expert system uses to make decisions • Inference Engine • Follows the tree formed by the knowledge base
Multi-Layer Artificial Neural Network • Simulates real brains
Bayesian Filtering • Looks for probabilities of words in spam v. good email
Genetic Algorithms and Programming • Simulates evolution
8. Software Development Security

More Related Content

PDF
Cissp Study notes.pdf
MAHESHUMANATHGOPALAK
 
PDF
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
Sam Bowne
 
PDF
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
PDF
1. Security and Risk Management
Sam Bowne
 
PPTX
Domain 4 - Communications and Network Security
Maganathin Veeraragaloo
 
PPT
Information Security Principles - Access Control
idingolay
 
PPTX
Operating system security
Sarmad Makhdoom
 
PPTX
Domain 6 - Security Assessment and Testing
Maganathin Veeraragaloo
 
Cissp Study notes.pdf
MAHESHUMANATHGOPALAK
 
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
Sam Bowne
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
1. Security and Risk Management
Sam Bowne
 
Domain 4 - Communications and Network Security
Maganathin Veeraragaloo
 
Information Security Principles - Access Control
idingolay
 
Operating system security
Sarmad Makhdoom
 
Domain 6 - Security Assessment and Testing
Maganathin Veeraragaloo
 

What's hot (20)

PDF
CISSP Prep: Ch 9. Software Development Security
Sam Bowne
 
PPTX
Basic concepts in computer security
Arzath Areeff
 
PPSX
7 Software Development Security
Alfred Ouyang
 
ODP
OWASP Secure Coding
bilcorry
 
PPTX
Application Security Architecture and Threat Modelling
Priyanka Aash
 
PDF
Secure Coding for Java
Sébastien GIORIA
 
PPT
Software Coding- Software Coding
Nikhil Pandit
 
PPTX
Cloud Security Architecture.pptx
Moshe Ferber
 
PPTX
Cloud security
Niharika Varshney
 
PPTX
CISSP Chapter 7 - Security Operations
Karthikeyan Dhayalan
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
PDF
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
PPTX
Secure coding practices
Scott Hurrey
 
PDF
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
PPTX
Authentication
primeteacher32
 
DOCX
Kernel security of Systems
Jamal Jamali
 
PPTX
Introduction to cryptography and types of ciphers
Aswathi Nair
 
PPT
Security policy
Dhani Ahmad
 
PPTX
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
PPT
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
CISSP Prep: Ch 9. Software Development Security
Sam Bowne
 
Basic concepts in computer security
Arzath Areeff
 
7 Software Development Security
Alfred Ouyang
 
OWASP Secure Coding
bilcorry
 
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Secure Coding for Java
Sébastien GIORIA
 
Software Coding- Software Coding
Nikhil Pandit
 
Cloud Security Architecture.pptx
Moshe Ferber
 
Cloud security
Niharika Varshney
 
CISSP Chapter 7 - Security Operations
Karthikeyan Dhayalan
 
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Secure coding practices
Scott Hurrey
 
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Authentication
primeteacher32
 
Kernel security of Systems
Jamal Jamali
 
Introduction to cryptography and types of ciphers
Aswathi Nair
 
Security policy
Dhani Ahmad
 
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Ad

Similar to 8. Software Development Security (20)

PDF
8. Software Development Security
Sam Bowne
 
ODP
CISSP Week 13
jemtallon
 
PPT
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
gealehegn
 
PPT
Technology Fundamentals
ashishsharma1506
 
PPT
Technology Fundamentals
ashishsharma1506
 
PPT
Application and Systems Development
amiable_indian
 
PPT
Management information system software
Online
 
PPT
2 software
Veeresh Khelgi
 
DOC
Technology
Ro Hith
 
PPT
ICT Intro, OS and Applications, Security
TIMON ODINGO
 
PPTX
Techniques for Developing Systems in IT Management System
Gruppo Banca Sella
 
PPTX
INTRODUCTION TO COMPUTER SOFTWARE
abiramiabi21
 
PPTX
Tech presentation (part 1)
Abhijit Roy
 
PDF
Internet application development using a meta-repository
ESUG
 
PPTX
CSE18R264 - Unit 1.pptx
YouTube299255
 
PPTX
School management system
Soumya Behera
 
PPT
Managing software assets
Prof. Othman Alsalloum
 
PPTX
Chapter no 1
COMSATS Institute of Information Technology
 
PPTX
Technical Skillwise
Skillwise Consulting
 
PPT
03 Object Dbms Technology
Laguna State Polytechnic University
 
8. Software Development Security
Sam Bowne
 
CISSP Week 13
jemtallon
 
ch03Threat Modeling - Locking the Door to Vulnerabilities.ppt
gealehegn
 
Technology Fundamentals
ashishsharma1506
 
Technology Fundamentals
ashishsharma1506
 
Application and Systems Development
amiable_indian
 
Management information system software
Online
 
2 software
Veeresh Khelgi
 
Technology
Ro Hith
 
ICT Intro, OS and Applications, Security
TIMON ODINGO
 
Techniques for Developing Systems in IT Management System
Gruppo Banca Sella
 
INTRODUCTION TO COMPUTER SOFTWARE
abiramiabi21
 
Tech presentation (part 1)
Abhijit Roy
 
Internet application development using a meta-repository
ESUG
 
CSE18R264 - Unit 1.pptx
YouTube299255
 
School management system
Soumya Behera
 
Managing software assets
Prof. Othman Alsalloum
 
Chapter no 1
COMSATS Institute of Information Technology
 
Technical Skillwise
Skillwise Consulting
 
03 Object Dbms Technology
Laguna State Polytechnic University
 
Ad

More from Sam Bowne (20)

PDF
Introduction to the Class & CISSP Certification
Sam Bowne
 
PDF
Cyberwar
Sam Bowne
 
PDF
3: DNS vulnerabilities
Sam Bowne
 
PDF
4 Mapping the Application
Sam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PDF
12 Elliptic Curves
Sam Bowne
 
PDF
11. Diffie-Hellman
Sam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
Sam Bowne
 
PDF
9 Writing Secure Android Applications
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PDF
10 RSA
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
PDF
9. Hard Problems
Sam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
Sam Bowne
 
PDF
11 Analysis Methodology
Sam Bowne
 
PDF
8. Authenticated Encryption
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
Sam Bowne
 
PDF
5. Stream Ciphers
Sam Bowne
 
PDF
6 Scope & 7 Live Data Collection
Sam Bowne
 
Introduction to the Class & CISSP Certification
Sam Bowne
 
Cyberwar
Sam Bowne
 
3: DNS vulnerabilities
Sam Bowne
 
4 Mapping the Application
Sam Bowne
 
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
12 Elliptic Curves
Sam Bowne
 
11. Diffie-Hellman
Sam Bowne
 
2a Analyzing iOS Apps Part 1
Sam Bowne
 
9 Writing Secure Android Applications
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
10 RSA
Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
9. Hard Problems
Sam Bowne
 
8 Android Implementation Issues (Part 1)
Sam Bowne
 
11 Analysis Methodology
Sam Bowne
 
8. Authenticated Encryption
Sam Bowne
 
7. Attacking Android Applications (Part 2)
Sam Bowne
 
7. Attacking Android Applications (Part 1)
Sam Bowne
 
5. Stream Ciphers
Sam Bowne
 
6 Scope & 7 Live Data Collection
Sam Bowne
 

Recently uploaded (20)

PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PPTX
master seminar digital applications in india
ananyaray35
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
Classroom Observation Tools for Teachers
Nicaramirez
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
Institutional Correction lecture only . . .
limvtheghins
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
RMMM.pdf make it easy to upload and study
sajedul2
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
master seminar digital applications in india
ananyaray35
 

8. Software Development Security

  • 3. Machine Code, Source Code, and Assembly Language • Machine code • Binary language built into CPU • Source code • Human-readable language like C • Assembly Language • Low-level commands one step above machine language • Commands like ADD, SUB, PUSH
  • 4. Compilers, Interpreters, and Bytecode • Compilers translate source code into machine code • Interpreters translate each line of code into machine code on the fly while the program runs • Bytecode is an intermediary form between source code and machine code, ready to be executed in a Java Virtual Machine
  • 5. Procedural and Object-Oriented Languages • Procedural languages use subroutines, procedures and functions • Ex: C, FORTRAN • Object-oriented languages define abstract objects • Have attributes and methods • Can inherit properties from parent objects • Ex: C++, Ruby, Python
  • 8. Computer-Aided Software Engineering (CASE) • Programs assist in creation and maintenance of other programs • Three types • Tools: support one task • Workbenches: Integrate several tools • Environments: Support entire process • 4GL, object-oriented languages, and GUIs are used as components of CASE
  • 9. Top-Down vs. Bottom-Up Programming • Top-Down • Starts with high-level requirements • Common with procedural languages • Bottom-Up • Starts with low-level technical implementation details • Common with object-oriented languages
  • 10. Types of Publicly Released Software • Closed Source • Source code is confidential • Open Source • Free Software • May cost $0, or be open to modify • Freeware: costs $0 • Shareware: free trial period • Crippleware: limited free version
  • 11. Software Licensing • Public domain (free to use) • Proprietary software is copyrighted, and sometimes patented • EULA (End User License Agreement) • Open-source licenses • GNU Public License (GPL) • Berkeley Software Distribution (BSD) • Apache
  • 13. Waterfall Model • From 1969 • One-way • No iteration • Unrealistic
  • 16. Agile Software Development • Agile methods include Scrum and Extreme Programming (XP) • Agile Manifesto
  • 17. Scrum • Stop running the relay race • Doing only one step and handing off the project • Take up rugby • A team goes the distance as a unit
  • 18. Extreme Programming (XP) • Pairs of programmers work off a detailed specification • Constant communication with fellow programmers and customers
  • 19. Spiral • Many rounds • Each round is a project; may use waterfall model • Risk analysis performed for each round
  • 21. Rapid Application Development (RAD) • Goal: quickly meet business needs • Uses prototypes, "dummy" GUIs, and back-end databases
  • 22. Prototyping • Breaks projects into smaller tasks • Create multiple mockups (prototypes) • Customer sees realistic-looking results long before the final product is completed
  • 23. SDLC • Systems Development Life Cycle • or Software Development Life Cycle • Security included in every phase • NIST Special Publication 800-14
  • 24. SDLC Phases • Initiation • Development / Acquisition • Implementation • Operation • Disposal • Security plan should be first step
  • 25. SDLC Overview • Prepare security plan • Initiation: define need and purpose • Sensitivity Assessment • Development / Acquisition • Determine security requirements and incorporate them into specifications • Implementation • Install controls, security testing, accreditation
  • 26. SDLC Overview • Operation / Maintenance • Security operations and administration: backups, training, key management, etc. • Audits and monitoring • Disposal • Archiving • Media sanitization
  • 27. Integrated Product Teams • A customer-focused group that focuses on the entire lifecycle of a project • More agile than traditional hierarchical teams
  • 28. Software Escrow • Third party archives source code of proprietary software • Source code is revealed if the product is orphaned
  • 29. Code Repository Security • Like GitHub • Contents must be protected • Developers shouldn't publish code that contains secrets
  • 30. Security of Application Programming Interfaces (APIs) • API allows apps to use a service, like Facebook • API exploits abuse the API to compromise security
  • 32. Software Change and Configuration Management • Ensures that changes occur in an orderly fashion, and don't harm security • NIST SP 80-128 describes a Configuration Management Plan (CMP) • Configuration Control Board (CCB) • Configuration Item Identification • Configuration Change Control • Configuration Monitoring
  • 33. DevOps • Old system had strict separation of duties between developers, quality assurance, and production • DevOps is more agile, with everyone working together in the entire service lifecycle
  • 36. Database • Structured collection of data • Databases allow • Queries (searches) • Insertions • Deletions • Database Management Systems (DBMS) • Controls all access to the database • Enforces database security
  • 37. Database Concepts • Database Administrator (DBA) • Query language • Ex: Structured Query Language (SQL) • Inference attack • Enumerating low-privilege data to find missing items, which must be 
 high-privilege • Aggregation attack • Combining many low-privilege records to deduce high-privilege data
  • 38. Types of Databases • Relational • Hierarchical • Object-oriented • Flat file • Simple text file
  • 40. Relational Database Terms • Tables have rows (records or tuples) and columns (fields or attributes) • Primary Key field is guaranteed to be unique, like a SSN • Foreign key is a field in another table that matched the primary key • Join connects two tables by a matching field
  • 41. Integrity • Referential Integrity • Foreign keys match primary keys • Semantic Integrity • Field values match data type (no letters in numerical fields) • Entity Integrity • Each tuple has a non-null primary key
  • 44. Database Views • Contained user interface • Shows only some data and options • Like a PoS (Point of Sale) device
  • 45. Data Dictionary • Describes the tables • This is metadata -- data about data • Database schema • Describes the attributes and values of the tables
  • 47. Query Languages • Two subsets of commands • Data Definition Language (DDL) • Data Manipulation Language (DML) • Structured Query Language (SQL) is the most common query language • Many types • MySQL, ANSI SQL (used by Microsoft), PL/SQL (Procedural Language/SQL, used by Oracle), and more
  • 48. Common SQL Commands • SELECT * FROM Employees WHERE Title = "DETECTIVE"
  • 50. Object-Oriented Databases • Combines data and functions in an object-oriented framework • Uses Object Oriented Programming (OOP) • and Object Database Management System (OBMS)
  • 51. Database Integrity • Mitigate unauthorized data modification • Two users may attempt to change the same record simultaneously • The DBMS attempts to commit an update • If the commit is unsuccessful, the DBMS can rollback and restore from a save point • Database journal logs all transactions
  • 52. Database Replication and Shadowing • Highly Available (HA) databases • Multiple servers • Multiple copies of tables • Database replication • Mirrors a live database • Original and copy are in use, serving clients • Shadow database • Live backup, not used
  • 53. Data Warehousing and Data Mining • Data Warehouse • A large collection of data • Terabytes (1000 GB) • Petabytes (1000 TB) • Data Mining • Searching for patterns • Ex: finding credit card fraud
  • 55. Object-Oriented Programming (OOP) • A program is a series of connected objects that communicate via messages • Ex: Java, C++, Smalltalk, Ruby • Objects contain data and methods • Objects provide data hiding • Internal structure not visible from the outside • Also called encapsulation
  • 56. Object-Oriented Programming Concepts • Objects • Methods • Messages • Inheritance • Delegation • Polymorphism • Polyinstantiation
  • 57. Example • Addy is an object • It has a method of addition • Input message is "1+2" • Output message is "3"
  • 59. Polyinstantiation • Multiple records for the same primary key, with different clearance levels
  • 60. Object Request Brokers (ORBs) • Middleware • Connect programs to other programs • Object search engines • Common ORBs • COM, DCOM, CORBA
  • 61. COM and DCOM • Component Object Model • Distributed Component Object Model • From Microsoft • Allows objects written in different OOP languages to communicate • Assemble a program by connecting components together like puzzle pieces • Includes ActiveX objects and Object Linking and Embedding (OLE) • COM and DCOM are being supplanted by Microsoft.NET
  • 62. CORBA • Common Object Request Broker Architecture • Open vendor-neutral framework • Competes with Microsoft's proprietary DCOM • Objects communicate via Interface Definition Language (IDL)
  • 63. Object-Oriented Analysis (OOA) & Object-Oriented Design (OOD) • Object-Oriented Analysis (OOA) • Analyzes a problem domain • Identifies all objects and interactions • Object-Oriented Design (OOD) • Then develops the solution
  • 66. Assessing the Effectiveness of Software Security
  • 67. Software Vulnerabilities • 15-50 errors per 1000 lines of code • Windows Vista has 50 million lines of code
  • 68. Types of Software Vulnerabilities • Hard-coded credentials • Buffer overflow • SQL injection • Directory path traversal • PHP Remote File Inclusion
  • 69. Buffer Overflow • Program reserves space for a variable • Ex: name[20] • User submits data that's too long to fit • Data written beyond the reserved space and corrupts memory • Can lead to Remote Code Execution
  • 70. TOCTOU / Race Conditions • Time of Check/Time of Use (TOCTOU) attacks (also called Race Conditions) • A brief time of vulnerability • Attacker needs to "win the race"
  • 71. Cross-Site Scripting (XSS) • Insert Javascript into a page • For example, a comment box • The code executes on another user's machine • BeEF (Browser Exploitation Framework) • Allows an attacker to control targets' browsers
  • 72. Cross-Site Request Forgery (CSRF) • Trick a user into executing an unintended action • With a malicious URL • Or by using a stolen cookie
  • 73. Privilege Escalation • Vertical escalation • Attacker increases privilege level • To "Administrator", "root", or "SYSTEM" • Horizontal escalation • To another user's account
  • 74. Backdoor • Shortcut into a system, bypassing security checks like username/password • May be through exploiting a vulnerability • Or a backdoor account left in the system by its developer
  • 75. Disclosure • Actions taken by a security researcher after finding a software vulnerability • Full Disclosure • Release all details publicly • Responsible Disclosure • Tell vendor privately • Give them time to patch it
  • 76. Software Capability Maturity Model (CMM) • From Carnegie Mellon • A methodical framework for creating quality software
  • 77. Five Levels of CMM 1. Initial - ad-hoc & chaotic • Depends on individual effort 2. Repeatable - basic project management 3. Defined • Documented standardized process 4. Managed • Controlled, measured process & quality 5. Optimizing • Continual process improvement
  • 78. Acceptance Testing • ISTQB (International Software Testing Qualifications Board) has 4 levels • User acceptance test • Operational acceptance test • Contract acceptance testing • Compliance acceptance testing
  • 79. Security Impact of Acquired Software • Commercial Off-the-Shelf (COTS) Software • Compare vendor claims with third-party research • Consider vendors going out of business, and support • Custom-Developed Third Party Products • Service Level Agreements (SLA) are vital
  • 81. Expert Systems • Two components • Knowledge Base • If/then statements • Contain rules that the expert system uses to make decisions • Inference Engine • Follows the tree formed by the knowledge base
  • 82. Multi-Layer Artificial Neural Network • Simulates real brains
  • 83. Bayesian Filtering • Looks for probabilities of words in spam v. good email
  • 84. Genetic Algorithms and Programming • Simulates evolution