Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)

July 2013

Data and Applications Development Security

Domain Agenda• System Lifecycle Security• Applications Security Issues• Database Security

Secure Systems Development Policies• Organizations require more secure development• Security climate has changes

Organizational Standards• Systems Security Engineering-Capability Maturity Model

Integration (SSE-CMMI)• Web Application Security Consortium (WASC)• Build Security in (BSI)• International Organization for Standardization (ISO)/

International Electro-Technical Commission (IEC 27034)

Software Configuration Management (SCM)

• Versioning• Technology• Protection of code• Protection of project

– Scope-creep Vs. Statement of work

• Process integrity

System Lifecycle• Project• Management-based methodology• Capability maturity model integration• SLC vs. SDLC

– System lifecycle– System development lifecycle

Project Management Controls• Complexity of systems and projects• Controls built into software

Secure Development Environment• “We need security? Then we’ll use SSL.”• “We need strong authentication? PKI will solve all our

problems.”• “We use a secret/military-grade encryption.”• “We had a hacking contest and no one broke it.”• “We have an excellent firewall.”• “We’ll add it later; let’s have the features first.”

Secure Development: Physical• Protect source code

– From tampering– Pirating– Accidental loss– Protection against attacks

Personnel Security• Hiring controls• Changes in employment• Protection of privacy from employees

– Privacy impact rating

Separation of Test Datafrom Production

• Never test on a production system• Never use real data

Software Development Methods• Waterfall• Spiral method• Clean-room• Structured Programming

Development

• Iterative development• Joint analysis development• Prototyping

Software Development Methods (cont.)

• Modified prototype model• Exploratory model• Rapid application

development• Reuse model

• Computer aided software engineering

• Component-based development

• Extreme programming• Agile development

Programming Language ExamplesInterpreted

• REXX• PostScript• Perl• Ruby• Python

Compiled• Fortran• COBOL• BASIC• Pascal• C• Ada• C++• Java• C#• Visual Basic

Program Utilities• Assembler• Compiler• Interpreter

Secure Coding Issues• Buffer overflow• SQL injections• Cross-site scripting XSS• Dangling pointer• Invalid hyperlink• Secure web applications• JavaScript attacks vs. sandbox• Application Programming Interface (API)• Open Source

Application Security Principles• Validate all input and output• Fail secure (closed)• Fail safe• Make it simple• Defense in depth• Only as secure as your weakest link

Object-oriented Programming• OOP concepts

– Classes– Objects– Message– Inheritance– Polymorphism– Polyinstantiation (term came from security)

Domain Agenda• System Lifecycle Security• Applications Security Issues• Database Security

Applications Security Issues• Building security in• Adding defense-in-depth

Transaction Processing• Transaction

– Integrity– Availability– Confidentiality

Malware and Attack Types• Injection• Input manipulation / malicious file execution• Brouthentication management• Cryptographic• Denial of service• Hijacking• Information disclosure• Infrastructure• Mis-configuration• Race condition

Malware• Keystroke logging• Adware and spyware• SPAM• Phishing• Botnets• Remote access Trojan• URL manipulation• Maintenance hooks• Privileged programs

Distributed Programming• Distributed Component Object Model (DCOM)• Simple Object Access Protocol (SOAP)• Common Object-Request Broker Architecture (CORBA)• Enterprise Java Beans (EJB)

Domain Agenda• System Lifecycle Security• Applications Security Issues• Database Security

Database Security• Database and data warehousing environment

– Eliminate duplication of data– Consistency of data– Network access

Database Management Systems (DBMS) Models

• Hierarchical DBMS– Stores records in a single table– Parent/child relationships– Limited to a single tree– Difficult to link branches

Relational DBMS Model• Most frequently used model• Data are structured in tables• Columns are “variables” (attributes)• Rows contain the specific instances (records) or data

Data Warehouse• Consolidated view of enterprise data• Data mart• Designed to support decision making through data mining

Knowledge Discovery in Databases (KDD)

• Methods of identifying patterns in data• KDD and AI techniques

– Probabilistic models– Statistical approach– Classification approach– Deviation and trend analysis– Neural networks– Expert system approach– Hybrid approach

Database Security Issues• Inference• Aggregation• Unauthorized access• Improper modification of data• Metadata

• Query attacks• Bypass attacks• Interception of data• Web security• Data contamination• Polyinstantiation• Data mining

Database Controls• Access controls• Grants• Cascading permissions• Lock controls• Backup and recovery

View-based Access Controls• Constrained views• Sensitive data is hidden from unauthorized users• Controls located in the front-end application (user interface)

Transaction Controls• Content-based access control• Commit statement• Three-phase commit• Database rollback• Journal / logs• Error controls

The ACID Test• Atomicity• Consistency• Isolation• Durability

Application and Database Languages: Security Issues

• Poorly designed• More privileges than necessary• DBA account use• Lack of audit• Input validation

Database Interface Languages• Structured Query Language (SQL)• Open Database Connectivity (ODBC)• Extensible Markup Language (XML)• Object Linking and Embedding (OLE)• Active X Data Object (ADO)