Installation and deployment activities are implemented following a plan which can be used to document best practices. The software needs to be configured so that the security principles are not violated or ignored during the installation.
Some steps necessary in pre-installation or post-installation phases:
Hardening – Harden the host operating system by using the Minimum Security Baseline (MSB), updates and patches; also harden the applications and software that runs on top of the operating system.
Environment Configuration – pre-installation checklists are useful to ensure that the needed configuration parameters are properly configured.
Release Management – Release management is the process of ensuring that all the changes that are made to the computing environment are planned, documented, tested and deployed with least privilege without negatively impacting any existing business operations or customers.
Bootstrapping and secure startup – Bootstrapping (or booting) involves any one shot process that ensures the correctness of the initial configuration; this includes the the proper defaults and execution parameters. Secure startup refers to the entire collection of processes from the turning on of the power until the operating system is in complete control of the system.The use of TPM (Trusted Platform Module) chip enables significant hardening of startup parameters from tampering.
Operations and Maintenance
The purpose of the software operations process is to operate the software product in its intended environment; this implies a focus on the assurance of product effectiveness and product support for the user community.
The purpose of the software maintenance process is to provide cost-effective modifications and operational support for each of the software artifacts in the organizational portfolio.
Activities that are useful to ensure that the deployed software stays secure:
Monitoring – As part of the security management activities, continuous monitoring is critically important. The task is accomplished by: scanning, logging, intrusion detection.
Incident Management – The incident response management process applies whether the organization is reacting to a foreseen event or is responding to an incident that was not anticipated. The key to ensuring effective response is a well defined and efficient incident reporting and and handling process.
Problem Management – Problem management is focus on improving the service and business operations. The goal of problem management is to determine and eliminate the root cause of an operational problem and in doing so it improves the service that IT provides to the business.
Change Management – Change Management includes also Patch and Vulnerability Management. The main goal of the change management is to protect the enterprise from the risk associated with changing of functioning systems.
Backup, Recovery and Archiving – In addition to regularly scheduled backups, when patches and software updates are made, it is advisable to perform full backup of the system that is being changed.
Secure Software Disposal
The purpose of the secure software disposal process is to safely terminate the existence of a system or a software entity. Like all formal IT processes, disposal is conducted according to a plan, that defines schedules, actions and resources.
Supplier Risk Assessment
The overall purpose of the supplier risk assessment is to identify and maintain an appropriate set of risk controls within the supply chain.
Categories of concerns for an external supplier:
installation of malicious logic in hardware or software.
installation of counterfeit hardware or software.
failure or disruption in the production of distribution of a critical product or service.
installation of unintentional vulnerabilities in software or hardware.
All the software items moving within a supply chain have to comply with existing laws and regulations.
Software acceptance is the life cycle process of officially or formally accepting new or modified software components, which when integrated form the information system.
completion criteria – are all the functional and security requirements completed as expected.
change management – is there a process in place to handle change requests.
approval to deploy/release – have all of the required authorities sign off.
risk acceptance and exception policy – is the residual risk acceptable or tracked as an exception.
documentation – are all the necessary documentation in place.
validation & verification (V&V) – Validation means that the software meets the specified user requirements. Verification describes proper software construction. V&V is not an ad hoc process but it is a very structured and systematic approach to evaluate the software technical functionality. The evaluation can be divided in two main activities:
error detection (tests).
independent third party (tests).
certification and accreditation – Certification is the technical verification of the software functional and assurance level. Accreditation is management’s formal acceptance of the system after an understanding of the risks to that system.
The most common software security vulnerabilities and risks
buffer overflow – is the condition that occurs when data that is being copied into the buffer (contiguous allocated storage space in memory) is more than what the buffer can handle.
stack overflow – buffer has been overflowed in the stack space.
the data flows from one buffer space into another, causing the return address instruction pointer to be overwritten.
heap overflow – a heap overflows does not necessarily overflow but corrupts the heap memory space (buffer), overwriting variables and function pointers on the heap.
injection flows – occur when the user supplied data is not validated before being processed by an interpreter.
OS Command injection
XML injection – software does not properly filter or quote special characters or reserved words that are used in XML, allowing an attacker to modify the syntax, contents or commands before execution.
cross-site scripting – A web application is said to be susceptible to XSS vulnerability when the user supplied input is sent back to the browser client without being properly validated and its content escaped.
Non-persistent (Reflected) – the user supplied input script that is injected (also referred to as payload) is not stored but merely included in the response from the web server, either in the results of a search or an error message.
Persistent (Stored) – the injected script is permanently stored on the target servers, either in a database, a message forum, a visitor log or an input field. Each time the victims visit the page that has the injected code stored in it or served to it from the web server, the payload script executes in the user’s browse
DOM based – the payload is executed in the victim’sbrowser as a result of DOM environment modifications on the client side. The HTTP response (or the web page) itself is not modified, but weaknesses in the client side allows the code contained in the web page client to be modified, so that the payload can be executed.
insecure direct object references – an unauthorized user or process can invoke the internal functionality of the software by manipulating parameters and other object values that directly reference this functionality.
security misconfiguration -Some of the common examples of security misconfigurations:
Missing software and operating system patches.
Lack of perimeter and host defensive controls such as firewalls,
Installation of software with default accounts and settings.
Installation of the administrative console with default configuration settings.
Pharming – scamming practice in which malicious code is installed on a system or server which misdirects users to fraudulent web sites without the user’s knowledge or consent.
Vishing – made up of two words, “voice” and “phishing” and is the criminal fraudulent activity in which an attacker steals sensitive information using deceptive social engineering techniques on VoIP networks.
Defensive Coding Practices
input validation – use blacklist or whitelist technique.
canonicalization (C14N) -process of converting data that has more than one possible representation to conform to a standard canonical form.
sanitization -process of converting something that is considered dangerous into its innocuous form. Both inputs and outputs can be sanitized.
stripping – removing harmful characters from user supplied input.
substitution – replacing user supplied input with safer alternatives.
literalization – using properties that render the user supplied input to be treated as a literal form.
error handling – error messages must be non-verbose and explicitly specified in the software. Redirect errors and exceptions to a custom and default error handling location.
cryptographic agility – ability to manage the specifics of the cryptographic functions that are embedded in code without recompiling, typically through a configuration file.
tokenization – process of replacing sensitive data with unique
identification symbols that still retain the needed information about the data, without compromising its security.
anti-tampering – techniques assure integrity assurance and protection against unauthorized and malicious alterations of the software code and/or the data.
Secure Software Processes
In addition to writing secure code, there are certain processes that must be conducted during the implementation phase that can assure the security of the software:
A software or application’s attack surface is the measure of its exposure of being exploited by a threat agent i.e., weaknesses in its entry and exit points that a malicious attacker can exploit to his or her advantage.
The attack surface evaluation attempts to enumerate the list of features that
an attacker will try to exploit.
Threat modeling is the process used to identify and document all the threats to system.
The threat modeling process have 3 phases:
model the system for which you want to find the threats.
attack trees – An attack tree is a hierarchical tree-like structure, which has either an attacker’s objective (e.g., gain administrative level privilege, determine application makeup and configuration, bypass authentication mechanisms, etc.) or a type of attack
(e.g., buffer overflow, cross site scripting, etc.) at its root node.
address each threat found in the previous step. Once identified,each threat must be evaluated according to the risk attached to it. There are several ways to quantitatively or qualitatively determine the risk ranking for a threat. These range from the simple, non-scientific, Delphi heuristic methodology to more statistically sound risk ranking using the probability of impact and the business impact.
This part is linked to the Secure Software Concepts and contains how the security software concepts can be applied to have a secured application.
confidentiality – use cryptographic and masking techniques
integrity – use hashing (or hash functions), referential integrity design (uses primary keys and related foreign keys in the database to assure data integrity), resource locking (when two concurrent operations are not allowed on the same object (say a record in the database), because one of the operations locks that record from allowing any changes to it, until it completes its operation, it is referred to as resource locking), and code signing.
availability – replication, fail-over and scalability techniques can be used to design the software for availability.
authentication – use multi-factor authentication and single sign on (SSO). Rely of already existing mechanism if possible (like the ones offered by the operating system).
authorization – rely of already existing mechanism if possible.
accounting (audit) – determine of what elements should be logged and under what circumstances.
Some of the common, insecure design issues observed in software are the
improper implementation of least privilege
software fails insecurely
authentication mechanisms are easily bypassed
security through obscurity
improper error handling
weak input validation
Architecture system with secured design principles:
good enough security – care should be taken to ensure that the security elements are in response with the actual risk associated with the potential vulnerability; do not over-engineer.
least privilege – use of accounts with non-administrative abilities.
Modular programming is a software design technique in which the entire program is broken down into smaller sub-units or modules. Each module is discrete with unitary functionality and is said to be therefore cohesive, meaning each module is designed to perform one and only one logical operation.
separation of duties – the programmer should not be allowed to review his own code nor should a programmer have access to deploy code to the production environment.
defense in depth
use of input validation along with prepared statements or stored
procedures, disallowing dynamic query constructions using user
input to defend against injection attacks.
disallowing active scripting in conjunction with output encoding
and input- or request-validation to defend against Cross-Site
the user is denied access by default and the account is locked out after the maximum number (clipping level) of access attempts is tried.
errors and exceptions are explicitly handled and the error messages are non-verbose in nature.
not designing the software to ignore the error and resume next
economy of mechanism – trade-off that happens between the
usability of the software and the security features that need to be designed and built in.
Unnecessary functionality or unneeded security mechanisms should be avoided.
Strive for simplicity.
Strive for operational ease of use.
complete mediation –
open design – the inverse of the open design principle is security through obscurity, which means that the software employs protection mechanisms whose strength is dependent on the obscurity of the design.
least common mechanism – mechanisms common to more than one user or process are designed not to be shared. Design should compartmentalize or isolate the code (functions) by user roles, since this increases the security of the software by limiting the exposure.
psychological acceptance – security principle that states that security mechanisms should be designed to maximize usage, adoption, and automatic application.The security protection mechanisms:
are easy to use,
do not affect accessibility.
are transparent to the user.
weakest link – when designing software, careful attention must be
given so that there are no exploitable components.
leverage existing components – reusing tested and proven, existing libraries and common components has good security benefits.
Securing commonly used architectures
service oriented architecture
An ESB is a software architectural pattern that facilitates communication between mutually interacting software application.
rich internet aplications (RIA)
Infrastructure as a Service (IaaS) -infrastructural components such as networking equipment, storage, servers and virtual machines are provided as services and managed by the cloud service provider.
Platform as a Service (PaaS) -in addition to infrastructural components, platform components such as operating systems, middleware and runtime are also provided as services and managed by the cloud service provider.
Software as a Service (SaaS) – in addition to infrastructural and platform components, data hosting and software applications are provided as services and managed by the cloud service provider.
Digital Rights Management
The expression of rights is made possible by formal language, known as Rights Expression Language (REL). Some examples of REL include the following:
Open Digital Rights Language (ODRL) – A generalized, open standard under development that expresses rights using XML.
eXtensible rights Markup Language (XrML) – Another generalized REL that is more abstract than ODRL. XrML is more of a meta-language that can be used for developing other RELs.
Publishing Requirements for Industry Standard Metadata
(PRISM) – Unlike ODRL and XrML, PRISM can be used to express
rights specific to a task and is used for syndication of print media
content such as newspapers and magazine.
Trusted Platform Module (TPM) – specification used in personal computers and other systems to ensure protection against disclosure of sensitive or private information as well as the implementation of the specification itself.
Trusted Computing Base (TCB) – the set of all hardware, firmware and software components that are critical to its security.