Presentation is loading. Please wait.

Presentation is loading. Please wait.

CISSP Guide to Security Essentials

Published byDoreen Daniels Modified over 6 years ago

Similar presentations

Presentation on theme: "CISSP Guide to Security Essentials"— Presentation transcript:

1 CISSP Guide to Security Essentials
Application Security CISSP Guide to Security Essentials Chapter 3

2 Objectives Types of applications Application models and technologies
Application threats and countermeasures Security in the software development life cycle Application security controls Databases and data warehouses

3 Types of Applications

4 Agents Standalone programs that are part of a larger application
Examples: Anti-virus Patch management Configuration management Windows 7's "Network discovery" agent

5 Applets Software programs that run within the context of another program Example: media players within browser

6 Client-server Separate programs on clients and servers communicate via networks and work together Client can be weak, even a "thin client" with no hard drive Example: Client tools connect to database on server Connection protocols: ODBC or Oracle's Net8 (called SQL*Net prior to Oracle8) Few developed now but many are in use

7 Distributed Software components run on several systems
User workstations, application server, records server, mapping server, databases… Two-tier, three-tier, multi-tier Reasons: scalability, performance, geographical

8 Web Applications Web browser as client, application server back-end
Client software nearly universal Application software centralized Immensely popular and important OWASP (Open Web Application Security Project) link Ch 3a

9 Application Models and Technologies

10 Application Models and Technologies
Control flow languages Structured languages Object oriented languages Knowledge based languages

11 Control Flow Languages
Linear, sequential Use of “if – then – else” Branching with “go to” Examples: BASIC, COBOL, Cold Fusion, FORTRAN, Perl, PHP, Python, VBScript

12 Structured Languages Nested, heavy use of subroutines and functions
Little or no “go to” Examples: C Pascal

13 Object Oriented Languages
Utilize concepts of object programming Classes, objects, instances, and inheritance Methods, instantiations Encapsulation, abstraction, polymorphism Examples C++, Java, Ruby, Simula, Smalltalk Distributed Object Oriented Systems Modules on different systems communicate with an Object Request Broker (ORB), such as CORBA, Enterprise Java Bean, DCOM, or JRMI

14 Knowledge Based Applications
Knowledge-based systems Artificial Intelligence Used to forecast weather, stock prices, etc. Neural networks Modeled after biological reasoning processes Artificial neurons that store pieces of information Given cases about situations and outcomes, can predict future outcomes

15 Knowledge Based Applications (cont.)
Expert systems Inference engine and knowledge base of past situations and outcomes Accumulate experience and learn to work better

16 iClicker Questions

17 Which term describes a weak computer used to control a more powerful computer?
Agent Applet Client Server Distributed application 1 of 5

18 Which term best describes the NoScript Firefox extension?
Agent Applet Client Server Distributed application 2 of 5

19 TweetDeck's alert system checks for new Twitter messages every few minutes. Which term best describes that function? Agent Applet Client Server Distributed application 3 of 5

20 Which language is structured but not object-oriented?
BASIC Pascal Java Ruby CORBA 4 of 5

21 Which of these enables modules on different object-oriented systems to communicate ?
BASIC C Java Ruby CORBA 5 of 5

22 Threats to Applications

23 Reasons for attacks Industrial espionage Vandalism and disruption
Denial of service Political / religious

24 Buffer overflow attacks
Disrupt a software application by providing more data to the application than it was designed to handle Types Stack buffer overflow NOP sled attack Heap overflow Jump to register attack Examples: Morris worm, ping of death, code red worm, Slammer, Blaster, Sasser

25 Buffer overflow attack countermeasures
Use safe languages and libraries Executable space protection Microsoft's Data Execution Prevention Stack smashing protection Uses a "canary" value to detect oveflows Address Space Layout Randomization Application firewalls

26 Malicious software Types: viruses, worms, Trojan horses, rootkits, bots, spam, pharming, spyware, key loggers Purpose Steal, corrupt, or destroy information Remote control Denial of service

27 Types of malware Virus: human assisted replication, embed in programs, files, master boot records Worm: self replicating, scan for victims, rapid spread Mass mailing, Port scanning Trojan horse: claims one function, but is malware

28 Types of malware (cont.)
Rootkit: hide within or beneath the operating system Hides files, processes, and network connections Bot: remote control zombie Spam: unsolicited

29 Types of malware (cont.)
Pharming: attack on DNS to redirect traffic to phishing Web site Spyware: collect information about usage, forward to central server Key logger: logs keystrokes and mouse movements, forwards to central server

30 Malware countermeasures
Anti-malware Patches Firewalls and application firewalls Hardened systems Intrusion detection systems Decreased privilege levels Penetration testing

31 Input attacks Countermeasures Buffer overflow Script injection
Cross site scripting Cross site request forgery Countermeasures Input field filtering, application firewall, application vulnerability scanning, software developer training

32 Vulnerability Scanners?
They miss 49% of the vulnerabilities they are looking for Link Ch 6b

33 Object reuse Use of a resource belonging to another process, including: Memory, databases, file systems, temporary files, and paging space Object reuse countermeasures Application isolation Server virtualization Developer training

34 Link Ch 3c

35 Mobile code Code from one system that executes on another system
Active Web content ActiveX, Javascript, Flash Downloaded software Can be useful but some is malicious

36 Mobile code countermeasures
Anti-malware Reduced user privileges Don't surf the Web as administrator Mobile code access controls Don't let unauthorized users execute code Restricting mobile code on workstations Browser settings, NoScript, etc.

37 Social engineering Social engineering countermeasures
Attack on personnel to gain secrets People are vulnerable because they want to help Pretexting is pretending to be someone else Social engineering countermeasures Security awareness training that includes accountability

38 Back door / maintenance hook
Access holes deliberately planted by a developer To facilitate easier testing during development To facilitate production access To facilitate a break-in Back door countermeasures Code reviews Source code control

39 Logic bombs Deliberate malfunction that causes harm Time bombs
Malfunction on a given date and time Event bombs Malfunction on a specific event Logic bomb countermeasures Software source code review, external audits

40 iClicker Questions

41 Hard drives have an "ATA Protection" feature that requires a password to access the disk. However, law enforcement officers have a special password that gives them access. What term best describes this situation? Trojan Rootkit Backdoor Canary Spyware 1 of 5

42 Which security measure makes it difficult for an attacker to find code that has been injected into a vulnerable process? DEP ASLR Canary IDS WAF 2 of 5

43 Which attack operates by poisoning a DNS entry and waiting until the victim visits that site later?
Keylogger DoS Pharming Spyware Cross-site scripting 3 of 5

44 Which protection measure is a network device that stops attacks by comparing them to a list of known exploits? WAF ASLR Patch Canary DEP 4 of 5

45 During his primary race, someone posted a comment on Obama's forum that contained code, and it redirected visitors to Clinton's page. What vulnerability was being exploited? Script injection Cross-site scripting Object reuse Mobile code Logic bomb 5 of 5

46 Security in the Software Development Life Cycle

47 Security in the Software Development Life Cycle (SDLC)
The entire collection of processes used to design, develop, test, implement, and maintain software

48 Security in the Software Development Life Cycle (cont.)
Security must be included in each step of the SDLC Conceptual Requirements and specifications development Application design Threat risk modeling Coding Testing

49 Security in the conceptual stage
Presence of sensitive information must be identified Information flows Access controls (users, administrators, third parties) Regulatory requirements Application dependencies

50 Security application requirements and specifications
Every detail of the software should be specified, down to individual input forms and fields Security requirements Roles, access controls, audit logging, configuration management

51 Security in application design
Adhere to all requirements and specifications Published design documents Design reviews Reviewed by all stakeholders including security

52 Threat risk modeling Identify threats and risks prior to development
Possible changes to specs, req’s, or design

53 Security in application coding
Develop safe code Free of common vulnerabilities Use safe libraries that include safe functions for input validation rule It costs 10 times as much to secure an application after it has been developed It costs 100 times as much to secure an application after it has been implemented

54 OWASP Top Ten Web Application Risks
Link Ch 6d

55 Great OWASP Presentation
Linked as an extra lecture on my CNIT 125 page

56 Security in testing Testing should verify correct coding of every requirement and specification Use vulnerability scanners

57 Protect the SDLC itself
Source code access control Protect source code Don't trust it to remain secret, though Record version changes Protection of software development and testing tools Protect from unauthorized modifications Protection of software development systems Prevent introduction of malware, back doors, logic bombs

58 Application Environment and Security Controls

59 Controls that must be present in a developed application
Authentication Limiting access to only legitimate, approved users Authorization Limiting access only to approved functions and data Audit logging Logging of all actions in the application

60 Databases and Data Warehouses

61 Database Concepts Database Data Warehouse
Ordered collection of data, such as employee records Data Warehouse A database used for decision support and research May contain all customer transactions Business intelligence tools analyze the data to find trends Example: Google's ad-targeting data

62 Database Architectures
Hierarchical databases: tree structure like DNS (no longer produced) Network databases: complex tree structure (no longer produced) Object-oriented databases: OO, methods stored with data Not common yet, see link Ch 3e

63 Database Architectures (cont.)
Distributed databases: physically distributed, any type Relational databases (RDBMS): in widest use today Data is stored in tables, records and fields Tables have relationships Oracle, SQL Server, DB2, MySQL, etc.

64 Database Transactions
Records retrieval Records update Records creation Transactional integrity Nested or complex transactions executed as a unit Begin work… <transactions> …end work

65 Database Security Controls
Access controls Userids, passwords Table / row / field level access control Read-only or read/write Views Virtual tables that are a subset of individual tables, or a “join” between tables Permission given to views just like “real” tables

66 iClicker Questions

67 At what stage in software development should HIPPA and other such regulations be first considered?
Requirements and Specifications Conceptual Design Threat risk modeling Coding 1 of 5

68 At what stage in software development is every detail of the software first specified, down to individual input forms and fields? Requirements and Specifications Conceptual Design Threat risk modeling Coding 2 of 5

69 Someone stole files from Adobe, so they could use them to hasten their own product development. What security measure failed here? Source code access control Protection of testing tools Protection of software development systems Threat risk modeling Authorization 3 of 5

70 A company's developers are using pirated Photoshop software, which contains a trojan. What aspect of security has been compromised? Source code access control Protection of testing tools Protection of software development systems Threat risk modeling Authorization 4 of 5

71 What sort of database is the most common today?
Hierarchical Network Object-oriented Distributed Relational 5 of 5

Download ppt "CISSP Guide to Security Essentials"

Similar presentations

Unit 1 Living in the Digital WorldChapter 1 Lets Communicate Internet Safety.

Unit 1 Living in the Digital WorldChapter 1 Lets Communicate Internet Safety.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Computer Viruses.

Computer Viruses.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
The Client/Server Database Environment

The Client/Server Database Environment
With Microsoft Windows 7© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Windows 7.

With Microsoft Windows 7© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Windows 7.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Beyond DHTML So far we have seen and used: CGI programs (using Perl ) and SSI on server side Java Script, VB Script, CSS and DOM on client side. For some.

Beyond DHTML So far we have seen and used: CGI programs (using Perl ) and SSI on server side Java Script, VB Script, CSS and DOM on client side. For some.
CISSP Guide to Security Essentials

CISSP Guide to Security Essentials
Safe Computing. Computer Maintenance  Back up, Back up, Back up  External Hard Drive  CDs or DVDs  Disk Defragmenter  Reallocates files so they use.

Safe Computing. Computer Maintenance  Back up, Back up, Back up  External Hard Drive  CDs or DVDs  Disk Defragmenter  Reallocates files so they use.
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.

Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.

Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.

Similar presentations

Ads by Google