1 / 37

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2011

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2011. Applications Development Security. Domain Agenda. System Lifecycle Security Applications Security Issues Database Security. Secure Systems Development Policies. Organizations require more secure development

lorant
Télécharger la présentation

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)July 2011 Applications Development Security

  2. Domain Agenda • System Lifecycle Security • Applications Security Issues • Database Security

  3. Secure Systems Development Policies • Organizations require more secure development • Security climate has changes

  4. Organizational Standards • Systems Security Engineering-Compatibility Maturity Model Integration (SSE-CMMI) • Web Application Security Consortium (WASC) • Build Security in (BSI) • International Organization for Standardization (ISO)/ International Electro-Technical Commission (IEC 27034)

  5. Software Configuration Management (SCM) • Versioning • Technologist • Protection of code • Protection of project • Scope-creep Vs. Statement of work • Process integrity

  6. System Lifecycle • Project • Management-based methodology • Capability maturity model integration • SLC vs. SDLC • System lifecycle • System development lifecycle

  7. Project Management Controls • Complexity of systems and projects • Controls built into software

  8. Secure Development Environment • “We need security? Then we’ll use SSL.” • “We need strong authentication? PKI will solve all our problems.” • “We use a secret/military-grad encryption.” • “We had a hacking contest and no one broke it.” • “We have an excellent firewall.” • “We’ll add it later; let’s have the features first.”

  9. Secure Development: Physical • Protect source code • From tampering • Pirating • Accidental loss • Protection against attacks

  10. Personnel Security • Hiring controls • Changes in employment • Protection of privacy from employees • Privacy impact rating

  11. Separation of Test Datafrom Production • Never test on a production system • Never use real data

  12. Software Development Methods • Waterfall • Spiral method • Clean-room • Structured Programming Development • Iterative development • Joint analysis development • Prototyping

  13. Software Development Methods (cont.) • Modified prototype model • Exploratory model • Rapid application development • Reuse model • Computer aided software engineering • Component-based development • Extreme programming • Agile development

  14. Programming Language Examples Interpreted • REXX • PostScript • Perl • Ruby • Python Compiled • Fortran • COBOL • BASIC • Pascal • C • Ada • C++ • Java • C# • Visual Basic

  15. Program Utilities • Assembler • Compiler • Interpreter

  16. Secure Coding Issues • Buffer overflow • SQL injections • Cross-site scripting XSS • Dangling pointer • Invalid hyperlink • Secure web applications • JavaScript attacks vs. sandbox • Application Programming Interface (API) • Open Source

  17. Application Security Principles • Validate all input and output • Fail secure (closed) • Fail safe • Make it simple • Defense in depth • Only as secure as your weakest link

  18. Object-oriented Programming • OOP concepts • Classes • Objects • Message • Inheritance • Polymorphism • Polyinstantiation

  19. Domain Agenda • System Lifecycle Security • Applications Security Issues • Database Security

  20. Applications Security Issues • Building security in • Adding defense-in-depth

  21. Transaction Processing • Transaction • Integrity • Availability • Confidentiality

  22. Malware and Attack Types • Injection • Input manipulation / malicious file execution • Brouthentication management • Cryptographic • Denial of service • Hijacking • Information disclosure • Infrastructure • Mis-configuration • Race condition

  23. Malware • Keystroke logging • Adware and spyware • SPAM • Phishing • Botnets • Remote access Trojan • URL manipulation • Maintenance hooks • Privileged programs

  24. Distributed Programming • Distributed Component Object Model (DCOM) • Simple Object Access Protocol (SOAP) • Common Object-Request Broker Architecture (CORBA) • Enterprise Java Beans (EJB)

  25. Domain Agenda • System Lifecycle Security • Applications Security Issues • Database Security

  26. Database Security • Database and data warehousing environment • Eliminate duplication of data • Consistency of data • Network access

  27. Database Management Systems (DBMS) Models • Hierarchical DBMS • Stores records in a single table • Parent/child relationships • Limited to a single tree • Difficult to link branches

  28. Relational DBMS Model • Most frequently used model • Data are structured in tables • Columns are “variables” (attributes) • Rows contain the specific instances (records) or data

  29. Data Warehouse • Consolidated view of enterprise data • Data mart • Designed to support decision making through data mining

  30. Knowledge Discovery in Databases (KDD) • Methods of identifying patterns in data • KDD and AI techniques • Probabilistic models • Statistical approach • Classification approach • Deviation and trend analysis • Neural networks • Expert system approach • Hybrid approach

  31. Database Security Issues • Inference • Aggregation • Unauthorized access • Improper modification of data • Metadata • Query attacks • Bypass attacks • Interception of data • Web security • Data contamination • Polyinstantiation • Data mining

  32. Database Controls • Access controls • Grants • Cascading permissions • Lock controls • Backup and recovery

  33. View-based Access Controls • Constrained views • Sensitive data is hidden from unauthorized users • Controls located in the front-end application (user interface)

  34. Transaction Controls • Content-based access control • Commit statement • Three-phase commit • Database rollback • Journal / logs • Error controls

  35. The ACID Test • Atomicity • Consistency • Isolation • Durability

  36. Application and Database Languages: Security Issues • Poorly designed • More privileges than necessary • DBA account use • Lack of audit • Input validation

  37. Database Interface Languages • Structured Query Language (SQL) • Open Database Connectivity (ODBC) • Extensible Markup Language (XML) • Object Linking and Embedding (OLE) • Active X Data Object (ADO)

More Related