© copyright 2005 (isc) 2® all rights reserved. 1 application security v5.0 application security

© Copyright 2005 (ISC)2® All Rights Reserved.

1Application Security v5.0

Application Security



Introduction

This domain addresses the important security concepts that apply to the software application development.

• The environment where software is designed and developed

• The critical role software plays in providing security to the information system.



Objectives

The CISSP should understand:• The principles for securing applications

throughout the lifecycle management process.• Change control• Data warehousing, data mining, & knowledge-

based systems• Program interfaces• Concepts used to ensure application availability,

integrity and confidentiality.



Objectives (cont.)

The CISSP should be able to:• Define the application software design

engineering principles• Identify the various types of malicious software

– How malicious software can be introduced into the computing environment

– Protection mechanisms that can be used to prevent, detect, and correct malicious software attacks.



Availability

• Programs

• Data

• Processing

• Resources

– Bandwidth, memory, disk space, mail queues, etc.

AvailabilityAvailability

Con

fiden

tialit

y

Integrity



Integrity

• Programs• System• Data• Trust relationships

– Formal (technical trust between subnets and domains)

• Informal (social relations between partners, customers, and clients)


Con

fiden

tialit

y

Integrity



Confidentiality

• Direct loss (backdoors, viruses, etc.)

• Indirect loss (Consequential damage due to unauthorized disclosure of confidential information, etc.)


Con

fiden

tialit

y

Integrity



Subtopics

• Applications Environment• Database and Data Warehouse Environment• Environment Threats• System Life Cycle • Software Development Methods• Programming Languages• Object Oriented Technology• Software Protection Mechanisms• Web Application Environment• Assurance Mechanisms



Section Objectives

• Describe the applications environment

• List the benefits of a database management system (DBMS)

• List examples of DBMS Models

• Define lock controls

• Describe online transaction processing (OLTP)

• Describe data warehousing

• List application environment threats



Applications Environment

• Operating system (O/S)–First layer of software

• Two objectives of O/S–Control use of system resources–Provide a convenient, easy-to-

understand view of the computer to users



Applications Software

• Comprised of programs, processes, utilities, drivers, etc to provide user functionality and support business activities.

• Allows users to execute and perform computerized tasks.



Subtopics




Database Management Systems

• Databases - developed to manage information from many sources in one location.– Eliminates the need for duplication of

information in the system.

– Preserves storage space.

– Prevents inconsistency in data by making changes in one central location.



Major Elements

• Database

• Hardware

• Software

• Users



DBMS Should Provide:

• Transaction persistence

• Fault tolerance and recovery

• Sharing by multiple users

• Security controls



DBMS Models

• Hierarchical Database Management Systems

• Network Database Management Systems• Relational Database Management

Systems• Object-Oriented Database Management

Systems• Object-Relational Database Management

Systems



Hierarchical DBMS

• Stores records in a single table.

• Uses parent/child relationships.

• Limited to a single tree

• Unable to link between branches or multiple layers.



Network DBMS

• Represents data as network of records and sets that are related to each other, forming a network of links.– Record types - records of the same type– Set types - relationship between record types



Relational DBMS

• Most frequently used DBMS model.• Data are structured in tables.

– Columns represent the variables (attributes).• “Atomic” - every row/column position is

always exactly one data value and never a set of values.

– Rows contain the specific instances (records) of data.



Relational DBMS (cont.)



Relational DBMS (cont.)

• Data within the Database – Consists of individual entities

– Entities are linked by relationships

– The DBMS describes the relationship between the data elements and provides the framework for organizing the data



Primary Key

• Uniquely identifies each row and assists with indexing the table by the DBMS.– Entity Integrity :

• Tuple cannot have a null value in the primary key.

• Guarantees that the tuple is uniquely identified by the primary key value.



Foreign Key

• An attribute or combination in one table whose value must match those of a primary key in another table. It helps link (join) tables together.– Referential integrity

• For any foreign key value, the reference relation to another table must have a tuple with the same value of the other table’s primary key.

• A null value in the foreign key prevents a join.



Relational DBMS



Relational Database Security Issues

• Ensuring integrity of input data.• Preventing deadlocking (stalemate

when 2 or more processes are each waiting for the other to do something before they can proceed)

• Access controls ensuring only authorized users are performing authorized activities.



OODBMS & ORDBMS

• OODBMS (Object Oriented Database Management System) – Supports the modeling and creation of data as

objects

• ORDBMS (Object Relational Database Management System) – most commonly implemented as a relational

DBMS with an object-oriented interface



Database Interface Languages

• Standardized access methods that provide an interface to the database.

• Examples include:– Open Database Connectivity (ODBC)– Object Linking and Embedding (OLE)– ActiveX Data Objects (ADO)– Java Database Connectivity (JDBC)– eXtensible Markup Language (XML)



Database Security Issues

• Inference• Aggregation• Unauthorized

Access• Improper

Modification of Data

• Access Availability• Database Views

• Query attacks

• Bypass attacks

• Interception of data

• Web Security

• Data contamination



Data Warehouse

• Consolidated view of enterprise data, optimized for reporting and analysis.

• Designed to support decision making through data mining.

• “Data mart” is a more focused and specialized data repository meeting the specific demands of a particular group or department.



Data Warehouse

Employees

Customer

Suppliers, Distributors

Data Warehouse

BEFORE

Various Databases



Building Data Warehouse

1. Feed all data into large, high-security database.

2. Normalize the data.3. Mine the data for correlations to produce

metadata.4. Sanitize and export the metadata to its

intended users.5. Put all new incoming data into the data

warehouse.



Data Warehouse (cont.)



Metadata

• Information about data.• A systematic method for describing

resources and improving the retrieval of information.

• Provides:– Valuable information on unseen relationships

between data.– Ability to correlate data that was considered

unrelated.



DBMS Controls Subtopics

• Lock Controls

• Online Transaction Processing (OLTP)

• View-Based Access Controls

• Knowledge Management



Lock Controls

• Used to control read and write access to specific rows of data in relational systems, or objects in object-oriented systems.

• Locks ensure only one user at a time can alter data.

• Better programming logic and testing reduce deadlocking problems.



Lock Controls - the ACID Test

• Atomicity – either all changes take effect or none do.

• Consistency – a transaction is allowed only if it meets

owner/system-defined integrity constraints.• Isolation

– the results of the transaction are not visible until the transaction is complete.

• Durability – a completed transaction is permanent.



Online Transaction Processing (OLTP)• Records transactions as they occur -

in real-time.• Security concerns are concurrency

and atomicity. – Concurrency controls ensure that two

users cannot simultaneously change the same data.

– Atomicity ensures that if one step fails, then all steps should not complete.



OLTP Systems Should:

• Detect when individual processes abort.• Automatically restart an aborted

process.• Back out of a transaction if necessary.• Have transaction logs record information

on a transaction before it is processed, then mark it as processed after it is done.



View-Based Access Controls

• Security achieved through the appropriate use of ‘views.’– Allows the database to be logically

divided into pieces - sensitive data is hidden from unauthorized users.

– Controls are located in the front-end application that the user interfaces with and not the back-end query engine.



Knowledge Management

• In order for data to be helpful, it must have meaning.

• The interpretation of data into meaning generates knowledge.

• To automate the process, knowledge-based systems are used.




• Knowledge Discovery in Databases (KDD) – methods of identifying valid and useful

patterns in data.– an evolving field of study to provide

automated analysis.• Some KDD methods use artificial

intelligence (AI) techniques




Main approaches:• Probabilistic Approach

– Based on probabilities and data interdependencies

• Statistical Approach – Uses rule discovery and is based on data

relationships• Classification Approach

– Groups data according to similarities



Knowledge Management (cont.)

• Deviation and Trend Analysis– uses filtering techniques to detect

patterns.

• Neural Networks – organizes data into nodes that are

arranged in layers, and links between the nodes have specific weighting classifications.



Knowledge Management (cont.)

• Expert System Approach – uses a knowledge base and a set of

algorithms and/or rules that infer new facts from knowledge and incoming data.

• Hybrid Approach – combination of more than one approach

that provides a more powerful and useful system.



Knowledge Management Security Controls• Protect knowledge database the same as

you would any other database.• Routinely verify decisions based on

expected outcomes.– If output seems suspicious, perform

additional and different queries.• Ensure all changes to rules go through a

change-control process.• Develop a baseline of expected

performance.



Subtopics




Application Environment Threats

• Object reuse– An object may contain sensitive residual data

• Garbage collection– De-allocation of storage following program

execution

• Trap doors/back doors– Hidden mechanisms that bypass

authentication measures– Could enable unauthorized access



Threats (cont.)

• Buffer Overflow – The process of exploiting a program

weakness by sending long strings of input data to a system that is not prepared to truncate it through proper bounds checking.

– Developers should take this type of vulnerability into account when developing and testing programs.



Threats (cont.)

• Denial of Service– The result of another person or process

consuming the resources on the system and thus denying the resources for the use of others.

– When testing programs, test for how the application would respond to a DoS attack.



Threats (cont.)

• Time of Check/Time of Use (TOC/TOU) – When control information is changed between

the time that the system security functions check the contents of the variables and when the variables are actually used.

• Malformed input attacks:– SQL Injection – inserting a series of SQL

statements into a 'query' by manipulating data input into an application



Threats (cont.)

• Executable Content/Mobile Code– Code that is downloaded to the user’s

machine and executed. – Running programs on a computer may give

the program unexpected access to resources on the machine.

– Examples include:• Web applets - mini programs written in

Java that are automatically loaded and run.• Dynamic email - active scripts/messages

are included in email messages.



Threats (cont.)

• Incomplete Parameter Check and Enforcement

• Covert Channels• Inadequate Granularity of Controls• Social Engineering• Multiple Paths to Information



Malware and Viruses

Malicious Software Definition:• Software or programs intentionally designed to

include functions for penetrating a system, breaking security policies, or to carry malicious or damaging payloads.

• Programming bugs or errors are not generally included in the topic

• Backdoors, data diddlers, DDoS, hoax warnings, logic bombs, pranks, RATs, trojans, viruses, worms, zombies, etc.



Network Aware

Modern malware is network aware.

– New means of spread

– New methods of attack

– New payloads



Network AwareExample: SQL Slammer

• ~100,000 hosts infected in ten minutes

• Sent more than 55 million probes per second world wide

• Collateral damage: Bank of America ATMs, 911 disruptions, Continental Airlines cancelled flights

• Unstoppable; relatively benign to hosts

9:30PM (PST) 9:40PM (PST)

Source – www.caida.org



Malware

Compatible – Platform Dominance

• Intel / BIOS hardware• MS Windows operating systems• Linux operating systems• MS Office applications• MS email and Web applications



Malware Functionality

• MS Office macros

• MS Windows Script Host (.vbs)

• ‘Active’ Web content– HTML, VBScript, Jscript++, etc.

• Viruses, etc. can carry source code



Malware Types

• Virus• Worm• Hoax warning• Trojan• Logic bomb• Data diddler• Backdoor

• RAT (Remote Access Trojan)

• DDoS (Distributed Denial of Service) zombie

• Prank• Spyware / Adware• Botnets

Many modern malware programs cross boundaries, combining more than one type of function



Malware Types - Virus

• Central characteristic is reproduction

• Generally requires some action by the user

• May or may not carry payloads

• Payload may or may not be damaging



Virus Types

• File infector

• Boot sector infector

• System infector

• Email virus

• Multipartite

• Macro virus

• Script virus

• Hoax



Malware Types - Hoax

• Uses users rather than programming

• ‘Meme’ or mind virus, social engineering

• Usually warns of a ‘new virus’• Can be a bigger problem than

viruses themselves



Virus Anti-Detection

• Stealth– General reference to all forms of anti-

detection technology

• Tunneling

• Polymorphism

• Antivirus (anti-malware) disabling



Virus Structure

• Infection / reproduction• Target search

• Infection

• Payload trigger

• Payload



Malware Types - Worm

•Reproduces– Generally uses loopholes in

systems• Does not involve user

– Often attacks server software of some type



Malware Types – Trojan Horse

• Purported to be a positive utility– Hidden negative

payload

– Social engineering



Malware Types – Logic Bomb

• Generally implanted by an insider

• Waits for condition or time

• Triggers negative payload



Malware Types – Data Diddler

• Payload in a Trojan or virus that deliberately corrupts data, generally by small increments over time



Malware Types – Backdoor, Trapdoor

• Implanted intentionally in development, or by error, usually by an insider

• Maintenance hook (may have been deliberate and useful)

• Also bug / loophole / wormhole



Malware Types – RAT

• Installed, usually remotely, after system installed and working, not in development– Trojan vs. tool– Rootkits require working account,

RATs generally don’t



Malware Types – DDOS Zombie

• Expands effect of denial of service.–Middle of master / attacker – agent

– target structure.–Hides attacker, multiplies attack.



Malware Types - Prank

• Intended as humor, not malice– Could still cause problems

• ‘Joke’ screen could cover important alert message

– Easter eggs• Cause file bloat, disk consumption• Code checking more complex



Malware Types – Spyware and Adware

• Intended as marketing, not malice• Installed with other software

– As a separate function or program• Generates unwanted or irrelevant

advertising• Reports on user activities

– possibly other installed programs, possibly user surfing



Malware Types – BotNets

• Networks of infected machines.– for distributed denial of service.– as proxies for SPAM.– often controlled via Internet Relay

Chat servers



Quick Quiz

• What are lock controls?• What are database management

systems used for?• What is the difference between a

Hierarchical DBMS and a Network DBMS?

• What are some of the significant threats to the applications environment?



Section Summary

• Lock controls are used to control read and write access to specific rows of data in relational systems, or objects in object-oriented systems.

• Database management systems are used to manage large, structured sets of data, provide access to multiple users, and enforce integrity of data.

• A Hierarchical DBMS captures records in a single table and is limited to a single tree where a Network DBMS represents data as a network of records and sets that are related to each other, forming a network of links.

• Application environment threats include malicious software, trap doors and back doors, object reuse, etc.



Subtopics




Section Objectives

• List the types of software development methods

• Define programming language• Describe software protection mechanisms• Describe the system development life

cycle• List information security activities



System Life Cycle

• Project management-based methodology used to plan, execute, and control software development and maintenance

• Provides a framework for the phases of software development projects and includes disposal stage

• Involves teams of developers, analysts, owners, users, technical experts, and security experts



System Life Cycle

Start-up Acquisition

&

Development

Implementation Operations

&

Maintenance

Decommissioning

Typical Phases of a System Life Cycle



Systems Development Life Cycle Framework

Initiation/Requirements

FunctionalDesign

DetailedDesign

Development/Construction

Testing

ProductionMaintenanceMaintenance

DefineDefine DesignDesign DevelopDevelop DeliverDeliver



Project Initiation and Planning



Functional Design Definition



Detailed Design Specifications



Develop and Document



Acceptance, Testing and Transition to Production



Decommissioning / Disposal

• When an asset is being taken out of production and is decommissioned or retired, the asset owner shall ensure the following stages are adhered to:– Information Recovery Protection

Requirements– Media Sanitization– Hardware and Software Disposal



Subtopics




Software Development Methods

• Waterfall – Each phase at a time– Easy updates but does not scale to large, complex projects

• Spiral – Combination of Waterfall and Prototype– Risk assessment at each phase, with Go/No Go decision

• Iterative Development – multiple waterfall approach– Successive refinements in requirements and design

• Joint Analysis Development – Users & Developers– Focus on team of experts; used for mainframe systems development

• Prototyping – build simple version first, then refine– 4 steps: concept, design/build, refine, complete and release

• Rapid Application Development (RAD) – rapid prototype– Strict time limits imposed to allow quick development



Software Development Methods (cont.)

• Modified Prototype Model (MPM) – dynamic model which changes over time as organization needs change

• Exploratory Model – research used to enhance existing model• Reuse Model – Object oriented• Cleanroom – Zero Defect approach• Computer Aided Software Engineering (CASE) – For

large, complex projects• Component Based Development – Standardized building

block approach• Structured Programming Development – Modular

development, high quality• Extreme Programming – 80% function in 20% of the time

allotted using small teams to keep it simple



Subtopics




Programming Languages

• A language is a set of rules that tell the computer what operations to perform.

• Languages have evolved in “generations.”– Generation One - Machine language– Generation Two - Assembly language– Generation Three - High-level language– Generation Four - Very high-level language– Generation Five - Natural language



Programming Languages

• Examples of languages include :– Active X– COBOL, PL/I– C, C-Plus, C++– HTML– Java– Visual Programming Languages

• Visual Basic, Visual C, Delphi



Assemblers, Compilers, and Interpreters

• Assembler - program that translates an assembly language program into machine language

• Compiler - translates a high-level language into machine language

• Interpreter - instead of compiling a program at once, the interpreter translates it instruction-by-instruction. It has a fetch and execute cycle.



Quick Quiz

• What is a programming language?

• What is a system development life cycle?

• At what point in the system’s development life cycle should security be addressed?



Section Summary

• A programming language is a set of rules that tell the computer what operations to perform.

• A system development life cycle is a project management-based methodology used to plan, execute, and control software development.

• Security requirements should be addressed within every phase of the systems development life cycle.



Subtopics




Section Objectives

• Describe Object Oriented Technology

• List some of the software protection mechanisms that can be used to protect the applications environment

• Describe key web application security principles

• Describe and understand change management principles



Object-Oriented Programming

• Programming method that creates an “object.”– The object is a block of pre-assembled code

that is a self-contained module. – Once written, objects can be reused.– Objects are encapsulated, thus providing some

security.– Objects have methods (code with programming

interfaces) and attributes (data) encapsulated together.



Distributed Object Oriented Systems

• Three main items:– Classes - tell the system how to make

objects– Objects - an instance of the class– Message - objects perform work by

sending messages to other objects



Object-Oriented Considerations

• Inheritance – An object derives data and functionality from

another object

• Polymorphism– Different objects respond to the same

command in different ways



Object-Oriented Considerations

• Polyinstantiation – Creating a new version of an object by

replacing variables with other values (or variables)

– Also used to prevent inference attacks against databases because it allows different versions of the same information to exist at different classification levels.



Distributed Component Object Model (DCOM)

• Based on the growth of distributed computing.• Allows applications to be divided into pieces called

components and each component can exist in a different location.

• The software components can interact with each other as an integrated Web application. It uses ActiveX technology to control how software components can communicate.



Common Object Request Broker Architecture (CORBA)

• A set of standards that address the need for interoperability between hardware and software.– Allows applications to communicate with one

another regardless of their location. – The Object Request Broker (ORB) establishes

a client/server relationship between objects.– The ORB enforces the system’s security

policy.



CORBA

• Client sends a message to another object.• The message is sent through the ORB security

system.



Subtopics




Software Protection MechanismsSubtopics

• Cryptography

• Access Controls

• Social Engineering Awareness

• Backup and Redundancy Controls

• Malicious Code Control

• Documentation and Common Program

• Testing and Evaluation

• Mobile Code Controls

• Data Contamination Controls



Cryptography

• Protects information by transforming it using encryption schemes.– Protects the confidentiality of data.– Can be used to detect unauthorized

modification of data/programs.– Specific files within operating systems

are encrypted to provide security protection.



Access Controls

• Physical – Isolate production

and programming environments

– Separate data for each environment

• Administrative– Change management– User registration

• Logical– Content Dependent– Rules/Roles Based– Access control lists

and permissions• Read/write/execute

control– Capabilities and

tokens– User Authentication



Backup and Redundancy Controls

• Providing backups of operating system and application software ensures programs are available in the event of an outage or system crash.

• Disk mirroring, Redundant Array of Independent Disks (RAID), etc.

• Purchased source code kept in escrow.



Protection from Malicious CodeSubtopics

• Known signature scanning

• Activity monitoring

• Change detection



Known Signature Scanning

• Signatures of known objects (viruses, other types).

• Program code, packets, ports, memory

• Update signatures – possibly daily.

• Subject to false negatives / false acceptance errors.



Activity Monitoring

• Auditing– Monitoring processing, disk activity,

communications traffic.

– Heuristic scanning – watch for small but suspicious code strings.• i.e.: Code that may request privileged

access.



Change Detection

Detection:– Changes to program files, processes.– Addition of new executable files.– Often incorrectly referred to as integrity

checking.• May be misleading – the integrity of the

system may have been compromised before establishment of initial baseline.



Documentation and Common Program Controls

• Protect operating system and application software.

• Protect job and system documentation.• Protect logs.• Have a program library to control and

record changes.



Input Data Contamination Controls

• Transaction counts• Dollar counts• Hash totals• Error detection• Error correction• Resubmission controls• Self-checking digits• Control totals



Output Data Controls

• Verify validity of transactions through:– Reconciliation– Physical-handling procedures– Authorization controls – Verification with expected results– Audit trails– Error report handling and analysis



Executable Code/Mobile Code Controls

• Limit the program to required resources only.–i.e. use a sandbox environment

• Examine and limit downloading of mobile code at firewall.

• Use cryptographic authentication to show the user who is responsible for the code.



Testing and Evaluation

• Test data should include data at the ends of the acceptable data ranges, various points in between, and data beyond the expected and allowed data points.– Test known and possible user entry

activities. – Perform ‘bounds’ and valid data checking,

such as field size, time, date, etc.



Testing and Evaluation (cont.)

• Validate data both before and after job runs.

• Sanitize test data to ensure sensitive production data is not exposed through test process.



Subtopics




Web Site Incidents - Examples

• Vandalism

• Financial fraud

• Privileged access

• Theft of transaction information

• Theft of intellectual property

• Denial of Service (DoS)



Web Application Environment

• Majority of the hacks being performed today are at the application level.– Easiest way to compromise hosts,

networks.– Widely accessible.– Logs are often non-existent.– Minimal intrusion detection.

• Most traditional firewalls provide minimal protection.



Securing Web ServersTraditional Architecture



Web Application SecurityWhy A Firewall Doesn’t Help

Web Server

Firewall

80/443161 257 9922322111

Database Server



Securing Web ServersBest practices• Institute a DMZ Quality Assurance signoff process for

web servers– Hardening of operating system– Hardening of web server– Execution of a web and network scan before deployment

• Consider the use of passive assessment IDS technology• Consider the use of Web application firewalls• Consider the use of advanced IPS systems• Implement syn proxies on the firewall• Disable unnecessary documentation and libraries



Securing Web ServersWeb Application Firewall Architecture



Web Application SecuritySubtopics

• Information Gathering• Administrative Interfaces• Authentication and Access Control• Configuration Management• Input Validation• Parameter Manipulation• Session Management



Information Gathering

• Problem:– Information may be gathered through:

• Browser cache and history• HTML comments• Error pages returned by server• Old, backup and unreferenced files• Database usernames and passwords in ASP files• Un-parsed include (INC) files

• Solution:– Be aware of the information and limit its

availability



Administrative Interfaces

• Problem:– Most commercial software and web application servers

install administrative features by default– Many in-house applications contain a web

administration page• Solution:

– Ensure these interfaces are removed or secured appropriately

– Only allow access from authorized hosts or networks– Do not hard code authentication credentials– Ensure at least as secure as the rest of the application



Authentication & Access Control

• Problem:– Authentication process may be vulnerable to

brute force attacks– Denial of service possible by mass account

lockout– Authentication process may be vulnerable to

password sniffing• Solution:

– Account lockout & logging procedures– Ensure all authentication traffic is encrypted



Configuration Management

• Problem:– Most software is delivered with insecure

configurations• Default accounts

• Solution:– Remove default configurations– Configure permissions on web server

correctly (read/write access)– Up-to-date vendor patches



Input Validation

• Problem:– Buffer overflows– Client-side validation– Cross-site scripting– Direct OS commands– Direct SQL commands– Path traversal– Unicode encoding– URL encoding

• Solution:– Adequate data

validation



Parameter Manipulation

• Problem:– Cookie manipulation– Form field manipulation– Hidden fields– URL manipulation

• Solution:– Adequate data validation



Session Management

• Problem:– Information sent in clear text– Sessions vulnerable to replay/hijacking

• Solution:– Always encrypt the cookie– Build time validation into the session ID– Do not use sequential (predictable) session

Ids– Use random, unique session Ids



Web Application Security Principles

• Validate all input and output.

• Fail secure (closed).

• Make it simple.

• Design secure networks.– Defense in depth.

– Only as secure as your weakest link.

– Security by obscurity doesn’t work.



Other Considerations

• Do not cache secure pages.• Ensure all encryption used meets industry

standards.• Monitor third party code vendors for

security alerts.• Log all critical transactions and

milestones.



Other Considerations (cont.)

• Handle exceptions properly.• Do not trust any data from the client.

–Trusting client-side data is number one source of application vulnerability.

• Do not trust data from other servers, partners, or other parts of the application.



Subtopics




Information Auditing

• Log and Audit any action that could affect the release of sensitive information.– Level and type of auditing is dependant

on the features of the installed software and the sensitivity of the data.

– Provides information on what types of activities have occurred and who or what processes took the action.



Change Management ProcessOverall Steps



• Rigorous process that addresses quality assurance.

• Changes must be submitted, approved, tested and recorded.

• Should have a back out plan in case change is not successful.

Change Management Key Points



Patch Management

Problem:

Software Bugs and Insecurities

Solution:

Security Patch Management

Process



Patch ManagementOverview

• Application of service packs is an important step in security configuration

• Service packs to the operating systems may contain processing and security enhancements

• If the version of the operation system is not current and/or latest service packs are not applied, unauthorized users may be able to exploit weaknesses in the operating system that may not exist after the service pack



1. Infrastructure –develop a patch strategy–team responsible for patch management process

2. Research–vendor websites who must be authenticated–must account for various systems/applications

3. Assess and Test–change management process–test then deploy to production–test environment should mirror the production environment

Patch Management Process



Patch Management Process4. Mitigation (“Rollback”)

– Mitigation process should be developed

5. Deployment (“Rollout”)– Patch less sensitive systems first– Automated processes – Process management team should be present for support– Schedule of patching times

6. Validation, Reporting, and Logging– Auditing– Scanning – Post SPMP Review



Patch Management Limitations

• Distribution System Failures– Example: Corruption, DoS, and Information Leakage

• Patch Failures – Example: DoS and Content Corruption

• Time-Related Issues– Example: Bandwidth: prioritization, scalability

• Inadequate Testing & Validation• Patch Rollback• Load on the network• Stability issues and other regression issues



Patch Management Best Practices

• Determining the “right” solution• Vendor Change Control process• Open source patches• Backup• Regression Testing• Evaluation process for new patches and updates• Speed and scope of patches• Maintaining a comprehensive inventory



Patch Management Alternatives

Should be used in conjunction with Patches:

• Wrappers

• Hardening

• Integrity Controls

• Configuration Management

• Intrusion Detection and Response

• Firewalls



Certification and Accreditation

• Certification and Accreditation is a set of procedures and judgments that assess the suitability of a system to operate in a target operational environment

• Ideally an ongoing set of processes • Should be revisited whenever a major change

occurs – New connection – Addition of a major application – Significant technology upgrade, etc.



Security Certification

• Comprehensive (technical) analysis of the security features and safeguards of a system to establish the extent to which the security requirements are satisfied.



Security Certification (cont.)

• Security certification considers the system in its operational environment– Security mode of operations – Specific users (and their training) – Applications and data sensitivity – System and facility configuration and

location – Interconnections with other systems



Accreditation

Accreditation is the official management decision to operate a system

– Particular security mode – Prescribed set of countermeasures – Defined threat; stated vulnerabilities – Given operational concept & environment – Stated interconnections to other systems – Risk formally accepted – Stated period of time



Quick Quiz

• What are examples of software protection mechanism that can be used?

• What are some of the ways to protect web application environments?

• What is change management?

• What is certification and accreditation?



Section Summary

• Examples of software protection mechanisms include cryptography, access controls, social engineering awareness, backup and recovery controls, malicious software controls, data contamination controls.

• Some of the ways to protect the web application environment include validating all input, secure all administrative interfaces, ensure adequate authentication and access controls, etc.

• Change management is a rigorous process that ensures quality assurance of changes.

• Certification is a comprehensive analysis of the features of a system to make sure it addresses the security problem that you may have, and accreditation is the official management decision to actually operate a system.

© copyright 2005 (isc) 2® all rights reserved. 1 application security v5.0 application security

Documents

application security

application security

application availability

applications software

layer of software

important security concepts

data mining

information system