Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) September 2013
37
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) September 2013 Data and Applications Development Security
description
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) September 2013. Data and Applications Development Security. Domain Agenda. System Lifecycle Security Applications Security Issues Database Security. Secure Systems Development Policies. - PowerPoint PPT Presentation
Transcript of Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) September 2013
Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)
September 2013
Data and Applications Development Security
Domain Agenda• System Lifecycle Security• Applications Security Issues• Database Security
Secure Systems Development Policies• Organizations require more secure development• Security climate has changes
Organizational Standards• Systems Security Engineering-Compatibility Maturity Model
Integration (SSE-CMMI)• Web Application Security Consortium (WASC)• Build Security in (BSI)• International Organization for Standardization (ISO)/
International Electro-Technical Commission (IEC 27034)
Software Configuration Management (SCM)
• Versioning• Technologist• Protection of code• Protection of project
– Scope-creep Vs. Statement of work
• Process integrity
System Lifecycle• Project• Management-based methodology• Capability maturity model integration• SLC vs. SDLC
– System lifecycle– System development lifecycle
Project Management Controls• Complexity of systems and projects• Controls built into software
Secure Development Environment• “We need security? Then we’ll use SSL.”• “We need strong authentication? PKI will solve all our
problems.”• “We use a secret/military-grad encryption.”• “We had a hacking contest and no one broke it.”• “We have an excellent firewall.”• “We’ll add it later; let’s have the features first.”
Secure Development: Physical• Protect source code
– From tampering– Pirating– Accidental loss– Protection against attacks
Personnel Security• Hiring controls• Changes in employment• Protection of privacy from employees
– Privacy impact rating
Separation of Test Datafrom Production
• Never test on a production system• Never use real data
Software Development Methods• Waterfall• Spiral method• Clean-room• Structured Programming
Development
• Iterative development• Joint analysis development• Prototyping
Software Development Methods (cont.)
• Modified prototype model• Exploratory model• Rapid application
development• Reuse model
• Computer aided software engineering
• Component-based development
• Extreme programming• Agile development
Programming Language ExamplesInterpreted
• REXX• PostScript• Perl• Ruby• Python
Compiled• Fortran• COBOL• BASIC• Pascal• C• Ada• C++• Java• C#• Visual Basic
Program Utilities• Assembler• Compiler• Interpreter
Secure Coding Issues• Buffer overflow• SQL injections• Cross-site scripting XSS• Dangling pointer• Invalid hyperlink• Secure web applications• JavaScript attacks vs. sandbox• Application Programming Interface (API)• Open Source
Application Security Principles• Validate all input and output• Fail secure (closed)• Fail safe• Make it simple• Defense in depth• Only as secure as your weakest link
Object-oriented Programming• OOP concepts
– Classes– Objects– Message– Inheritance– Polymorphism– Polyinstantiation
Domain Agenda• System Lifecycle Security• Applications Security Issues• Database Security
Applications Security Issues• Building security in• Adding defense-in-depth
Transaction Processing• Transaction
– Integrity– Availability– Confidentiality
Malware and Attack Types• Injection• Input manipulation / malicious file execution• Brouthentication management• Cryptographic• Denial of service• Hijacking• Information disclosure• Infrastructure• Mis-configuration• Race condition
Malware• Keystroke logging• Adware and spyware• SPAM• Phishing• Botnets• Remote access Trojan• URL manipulation• Maintenance hooks• Privileged programs
Distributed Programming• Distributed Component Object Model (DCOM)• Simple Object Access Protocol (SOAP)• Common Object-Request Broker Architecture (CORBA)• Enterprise Java Beans (EJB)
Domain Agenda• System Lifecycle Security• Applications Security Issues• Database Security
Database Security• Database and data warehousing environment
– Eliminate duplication of data– Consistency of data– Network access
Database Management Systems (DBMS) Models
• Hierarchical DBMS– Stores records in a single table– Parent/child relationships– Limited to a single tree– Difficult to link branches
Relational DBMS Model• Most frequently used model• Data are structured in tables• Columns are “variables” (attributes)• Rows contain the specific instances (records) or data
Data Warehouse• Consolidated view of enterprise data• Data mart• Designed to support decision making through data mining
Knowledge Discovery in Databases (KDD)
• Methods of identifying patterns in data• KDD and AI techniques
– Probabilistic models– Statistical approach– Classification approach– Deviation and trend analysis– Neural networks– Expert system approach– Hybrid approach
Database Security Issues• Inference• Aggregation• Unauthorized access• Improper modification of data• Metadata
• Query attacks• Bypass attacks• Interception of data• Web security• Data contamination• Polyinstantiation• Data mining
Database Controls• Access controls• Grants• Cascading permissions• Lock controls• Backup and recovery
View-based Access Controls• Constrained views• Sensitive data is hidden from unauthorized users• Controls located in the front-end application (user interface)
Transaction Controls• Content-based access control• Commit statement• Three-phase commit• Database rollback• Journal / logs• Error controls
The ACID Test• Atomicity• Consistency• Isolation• Durability
Application and Database Languages: Security Issues
• Poorly designed• More privileges than necessary• DBA account use• Lack of audit• Input validation
Database Interface Languages• Structured Query Language (SQL)• Open Database Connectivity (ODBC)• Extensible Markup Language (XML)• Object Linking and Embedding (OLE)• Active X Data Object (ADO)
