application security cissp guide to security essentials chapter 3
TRANSCRIPT
![Page 1: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/1.jpg)
Application Security
CISSP Guide to Security Essentials
Chapter 3
![Page 2: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/2.jpg)
CISSP Guide to Security Essentials 2
Objectives
• Types of applications
• Application models and technologies
• Application threats and countermeasures
• Security in the software development life cycle
![Page 3: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/3.jpg)
CISSP Guide to Security Essentials 3
Objectives (cont.)
• Application security controls
• Databases and data warehouses
![Page 4: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/4.jpg)
CISSP Guide to Security Essentials 4
Types of Applications
• Agents– Standalone programs that are part of
a larger application– Examples:
• Anti-virus
• Patch management
• Configuration management
![Page 5: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/5.jpg)
CISSP Guide to Security Essentials 5
Types of Applications (cont.)
• Applets– Software programs that run within the
context of another program– Example: media players within browser
![Page 6: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/6.jpg)
CISSP Guide to Security Essentials 6
Types of Applications (cont.)
• Client-server– Separate programs on clients and servers
communicate via networks and work together– Few developed now but many are in use
![Page 7: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/7.jpg)
CISSP Guide to Security Essentials 7
Types of Applications (cont.)
• Distributed– Software components run on several systems– Two-tier, three-tier, multi-tier– Reasons: scalability, performance, geographical
![Page 8: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/8.jpg)
CISSP Guide to Security Essentials 8
Types of Applications (cont.)
• Web– Web browser as client, application server
back-end– Client software nearly universal– Application software centralized
![Page 9: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/9.jpg)
CISSP Guide to Security Essentials 9
Application Models and Technologies
• Control flow languages
• Structured languages
• Object oriented languages
• Knowledge based languages
![Page 10: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/10.jpg)
CISSP Guide to Security Essentials 10
Control Flow Languages
• Linear, sequential
• Use of “if – then – else”
• Branching with “go to”
• Examples:– BASIC, COBOL, Cold Fusion, FORTRAN, Perl,
PHP, Python, VBScript
![Page 11: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/11.jpg)
CISSP Guide to Security Essentials 11
Structured Languages
• Nested, heavy use of subroutines and functions
• Little or no “go to”
• Examples:– C– Pascal
![Page 12: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/12.jpg)
CISSP Guide to Security Essentials 12
Object Oriented Languages
• Utilize concepts of object programming– Classes, objects, instances, and inheritance– Methods, instantiations – Encapsulation, abstraction, polymorphism
• Examples– C++, Java, Ruby, Simula, Smalltalk
![Page 13: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/13.jpg)
CISSP Guide to Security Essentials 13
Knowledge Based Applications
• Neural networks– Modeled after biological reasoning processes– Artificial neurons that store pieces of information– Given cases about situations and outcomes,
can predict future outcomes
![Page 14: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/14.jpg)
CISSP Guide to Security Essentials 14
Knowledge Based Applications (cont.)
• Expert systems– Inference engine and knowledge base
of past situations and outcomes
![Page 15: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/15.jpg)
CISSP Guide to Security Essentials 15
Threats to Applications
• Reasons for attacks– Industrial espionage– Vandalism and disruption– Denial of service– Political / religious
![Page 16: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/16.jpg)
CISSP Guide to Security Essentials 16
Threats to Applications (cont.)
• Buffer overflow attacks– Disrupt a software application by providing
more data to the application than it was designed to handle
![Page 17: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/17.jpg)
CISSP Guide to Security Essentials 17
Threats to Applications (cont.)
• Buffer overflow attacks (cont.)– Types
• Stack buffer overflow
• NOP sled attack
• Heap overflow
• Jump to register attack
![Page 18: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/18.jpg)
In Java
• Instance variables and Objects lie on Heap.
• Local variables and methods lie on the Stack. So if we have a main method which calls the go() method which calls the gone() method then the stack from top to bottom would consist of
CISSP Guide to Security Essentials 18
![Page 19: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/19.jpg)
• gone()
• go()
• main()
CISSP Guide to Security Essentials 19
![Page 20: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/20.jpg)
CISSP Guide to Security Essentials 20
![Page 21: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/21.jpg)
CISSP Guide to Security Essentials 21
Threats to Applications (cont.)
• Examples: Morris worm, ping of death, code red worm
• Buffer overflow attack countermeasures– Use safe languages and libraries– Executable space protection– Stack smashing protection– Application firewalls
![Page 22: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/22.jpg)
CISSP Guide to Security Essentials 22
Threats to Applications (cont.)
• Covert channel– Unintended and hidden channel of communications– Types:
• Covert storage channel: read a storage location and learn about the application or other data
![Page 23: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/23.jpg)
CISSP Guide to Security Essentials 23
Threats to Applications (cont.)
– Covert channel types (cont.)• Timing channel: observe timings in an
application to determine what is happening in the application
• Countermeasures– Careful software analysis, good software
engineering– Newer versions of firewall
![Page 24: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/24.jpg)
CISSP Guide to Security Essentials 24
Threats to Applications (cont.)
• Side channel attack– An attack on a cryptosystem based upon
physical information gained from the system– Examples: timing, power consumption, emanations,
and even sounds
![Page 25: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/25.jpg)
CISSP Guide to Security Essentials 25
Threats to Applications (cont.)
• Countermeasures– Limit release of information through
shielding and other means
![Page 26: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/26.jpg)
CISSP Guide to Security Essentials 26
Threats to Applications (cont.)
• Malicious software– Types: viruses, worms, Trojan horses, rootkits,
bots, spam, pharming, spyware, key loggers– Purpose
• Steal, corrupt, or destroy information
• Remote control
• Denial of service
![Page 27: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/27.jpg)
CISSP Guide to Security Essentials 27
Threats to Applications (cont.)
• Types of malware– Virus: human assisted replication, embed in
programs, files, master boot records– Worm: self replicating, scan for victims,
rapid spread– Trojan horse: claims one function,
but is malware
![Page 28: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/28.jpg)
CISSP Guide to Security Essentials 28
Threats to Applications (cont.)
• Types of malware (cont.) – Rootkit: hide within or beneath the
operating system– Bot: remote control zombie– Spam: unsolicited e-mail
![Page 29: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/29.jpg)
CISSP Guide to Security Essentials 29
Threats to Applications (cont.)
• Types of malware (cont.)– Pharming: attack on DNS to redirect traffic
to decoy application– Spyware: collect information about usage,
forward to central server– Key logger: logs keystrokes and mouse
movements, forwards to central server
![Page 30: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/30.jpg)
CISSP Guide to Security Essentials 30
Threats to Applications (cont.)
• Malware countermeasures– Anti-malware– Patches– Firewalls and application firewalls– Hardened systems
![Page 31: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/31.jpg)
CISSP Guide to Security Essentials 31
Threats to Applications (cont.)
• Malware countermeasures (cont.)– Intrusion detection systems– Decreased privilege levels– Penetration testing
![Page 32: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/32.jpg)
CISSP Guide to Security Essentials 32
Threats to Applications (cont.)
• Input attacks– Buffer overflow– Script injection– Cross site scripting– Cross site request forgery
![Page 33: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/33.jpg)
CISSP Guide to Security Essentials 33
Threats to Applications (cont.)
• Countermeasures– Input field filtering, application firewall,
application vulnerability scanning, software developer training
![Page 34: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/34.jpg)
CISSP Guide to Security Essentials 34
Threats to Applications (cont.)
• Object reuse– Use of a resource belonging to another
process, including:• Memory, databases, file systems, temporary
files, and paging space
![Page 35: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/35.jpg)
CISSP Guide to Security Essentials 35
Threats to Applications (cont.)
• Object reuse countermeasures– Application isolation– Server virtualization– Developer training
![Page 36: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/36.jpg)
CISSP Guide to Security Essentials 36
Threats to Applications (cont.)
• Mobile code– Executable code, active content, downloadable
content– Examples: active website content, downloaded
programs– Some is desired, but some is malicious in nature
![Page 37: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/37.jpg)
CISSP Guide to Security Essentials 37
Threats to Applications (cont.)
• Mobile code countermeasures– Anti-malware, mobile code access controls– Reduced user privileges
![Page 38: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/38.jpg)
CISSP Guide to Security Essentials 38
Threats to Applications (cont.)
• Social engineering– Attack on personnel to gain secrets– People are vulnerable because they want
to help
• Social engineering countermeasures– Security awareness training that includes
accountability
![Page 39: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/39.jpg)
CISSP Guide to Security Essentials 39
Threats to Applications (cont.)
• Time of check / time of use (TOCTOU)– Also known as a “race condition”– Defect in resource allocation and management
controls– Possible exploitation to cause harm or steal data
![Page 40: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/40.jpg)
CISSP Guide to Security Essentials 40
Threats to Applications (cont.)
• TOCTOU countermeasures– Reviews of resource allocation controls– Improve privacy of communications
![Page 41: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/41.jpg)
CISSP Guide to Security Essentials 41
Threats to Applications (cont.)
• Back door / maintenance hook– Access holes deliberately planted by a developer
• To facilitate easier testing during development
• To facilitate production access
• To facilitate a break-in
![Page 42: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/42.jpg)
CISSP Guide to Security Essentials 42
Threats to Applications (cont.)
• Back door countermeasures– Code reviews– Source code control
![Page 43: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/43.jpg)
CISSP Guide to Security Essentials 43
Threats to Applications (cont.)
• Logic bombs– Deliberate malfunction that causes harm– Time bombs
• Malfunction on a given date and time
– Event bombs• Malfunction on a specific event
![Page 44: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/44.jpg)
CISSP Guide to Security Essentials 44
Threats to Applications (cont.)
• Logic bomb countermeasures– Software source code review, external audits
![Page 45: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/45.jpg)
CISSP Guide to Security Essentials 45
Security in the Software Development Life Cycle (SDLC)
• SDLC– The entire collection of processes used
to design, develop, test, implement, and maintain software
![Page 46: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/46.jpg)
CISSP Guide to Security Essentials 46
Security in the Software Development Life Cycle (cont.)
• Security must be included in each step of the SDLC– Conceptual– Requirements and specifications development– Application design, coding, and testing
![Page 47: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/47.jpg)
CISSP Guide to Security Essentials 47
Security in the Software Development Life Cycle (cont.)
• Security in the conceptual stage– Presence of sensitive information must be identified– Access controls (users, administrators, third parties)– Regulatory conditions– Security dependencies
![Page 48: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/48.jpg)
CISSP Guide to Security Essentials 48
Security in the Software Development Life Cycle (cont.)
• Security application requirements and specifications– Functional requirements– Standards– Security requirements
• Roles, access controls, audit logging, configuration management
![Page 49: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/49.jpg)
CISSP Guide to Security Essentials 49
Security in the Software Development Life Cycle (cont.)
• Requirements and specifications (cont.)– Regulatory requirements– Test plan a byproduct of requirements
![Page 50: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/50.jpg)
CISSP Guide to Security Essentials 50
Security in the Software Development Life Cycle (cont.)
• Security in application design– Adhere to all requirements and specifications– Published design documents– Design reviews
• Reviewed by all stakeholders including security
![Page 51: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/51.jpg)
CISSP Guide to Security Essentials 51
Security in the Software Development Life Cycle (cont.)
• Threat risk modeling– Identify threats and risks prior to development
• Tool: Microsoft Threat Analysis and Risk
– Possible changes to specs, req’s, or design
![Page 52: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/52.jpg)
CISSP Guide to Security Essentials 52
Security in the Software Development Life Cycle (cont.)
• Security in application coding– Develop safe code
• Free of common vulnerabilities – particularly web apps
• Unvalidated input / broken access control
• Broken authontication/ scripting attack
• Buffer overflow / insecure storage
– Use safe libraries that include safe functions for input validation
![Page 53: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/53.jpg)
CISSP Guide to Security Essentials 53
Security in the Software Development Life Cycle (cont.)
• Security in testing– Testing should verify correct coding of
every requirement and specification• Tools: WebInspect, AppScan
![Page 54: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/54.jpg)
CISSP Guide to Security Essentials 54
Security in the Software Development Life Cycle (cont.)
• Protect the SDLC itself– Source code access control
• Protect source code
• Protect development tools / libraries
• Record version changes
– Protection of software development and testing tools• Protect from unauthorized modifications
![Page 55: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/55.jpg)
CISSP Guide to Security Essentials 55
Security in the Software Development Life Cycle (cont.)
• Protect SDLC (cont.)– Protection of software development systems
• Prevent introduction of malware, back doors, logic bombs
![Page 56: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/56.jpg)
CISSP Guide to Security Essentials 56
Application Environment and Security Controls
• Controls that must be present in a developed application– Authentication
• Limiting access to only legitimate, approved users
• Own authentication / enterprise wide LDAP, Active Dir
– Authorization• Limiting access only to approved functions
and data
• Thousands of functions / thousands of users
![Page 57: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/57.jpg)
CISSP Guide to Security Essentials 57
Application Environment and Security Controls (cont.)
• Controls (cont.)– Role-based Access Control
• Based on job description / job code
– Audit logging• Logging of all actions in the application
– Date/time, user, user’s location– Event name– Relevant data
– Audit log protection
![Page 58: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/58.jpg)
CISSP Guide to Security Essentials 58
Database Architectures
• Various databases – SQL Server, Oracle, DB2, Sybase, etc
• Hierarchical databases: tree structure , Internet’s DNS, legacy
• Network databases: complex tree structure, legacy
• Object databases: OO, methods stored with data
![Page 59: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/59.jpg)
CISSP Guide to Security Essentials 59
Database Architectures (cont.)
• Distributed databases: physically distributed, any type
• Relational databases (RDBMS): in widest use today– Structure is defined by schema– Data modular tools are used to create schema– Oracle, SQL Server, DB2, MySQL, etc.
![Page 60: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/60.jpg)
CISSP Guide to Security Essentials 60
Database Transactions
• Records retrieval
• Records update
• Records creation
• Nested or complex transactions executed as a unit– Begin work… <transactions> …end work
![Page 61: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/61.jpg)
CISSP Guide to Security Essentials 61
Database Security Controls
• Access controls– Userids, passwords– Table / row / field level access control– Read-only or read/write
![Page 62: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/62.jpg)
CISSP Guide to Security Essentials 62
Database Security Controls
• Views– Virtual tables that are a subset of individual
tables, or a “join” between tables– Permission given to views just like
“real” tables
![Page 63: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/63.jpg)
CISSP Guide to Security Essentials 63
Summary
• Types of applications: agents, applets, client-server, distributed, web
• Application language types: control flow, structured, object oriented, knowledge based
![Page 64: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/64.jpg)
CISSP Guide to Security Essentials 64
Summary (cont.)
• Reasons for threats to applications: industrial espionage, vandalism and disruption, denial of service, political / religious
![Page 65: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/65.jpg)
CISSP Guide to Security Essentials 65
Summary (cont.)
• Types of threats– buffer overflow, covert channel, side channel,
malware, input attacks, object reuse, mobile code, social engineering, TOCTOU, back door, logic bomb
![Page 66: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/66.jpg)
CISSP Guide to Security Essentials 66
Summary (cont.)
• Software development life cycle (SDLC) steps– Conceptual, requirements / specifications, design,
coding, testing, maintenance– Source code control, configuration management
• Application environment security controls– Authentication, access control, audit logging
![Page 67: Application Security CISSP Guide to Security Essentials Chapter 3](https://reader035.vdocument.in/reader035/viewer/2022062314/56649e2d5503460f94b1c5da/html5/thumbnails/67.jpg)
CISSP Guide to Security Essentials 67
Summary (cont.)
• Types of databases– Hierarchical, network, distributed, object-oriented,
relational (most common)
• Database security controls: userid, access control, audit logging, views