dr. bhavani thuraisingham the university of texas at dallas (utd) july 2013 data and applications...
TRANSCRIPT
![Page 1: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/1.jpg)
Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)
July 2013
Data and Applications Development Security
![Page 2: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/2.jpg)
Domain Agenda• System Lifecycle Security• Applications Security Issues• Database Security
![Page 3: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/3.jpg)
Secure Systems Development Policies• Organizations require more secure development• Security climate has changes
![Page 4: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/4.jpg)
Organizational Standards• Systems Security Engineering-Capability Maturity Model
Integration (SSE-CMMI)• Web Application Security Consortium (WASC)• Build Security in (BSI)• International Organization for Standardization (ISO)/
International Electro-Technical Commission (IEC 27034)
![Page 5: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/5.jpg)
Software Configuration Management (SCM)
• Versioning• Technology• Protection of code• Protection of project
– Scope-creep Vs. Statement of work
• Process integrity
![Page 6: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/6.jpg)
System Lifecycle• Project• Management-based methodology• Capability maturity model integration• SLC vs. SDLC
– System lifecycle– System development lifecycle
![Page 7: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/7.jpg)
Project Management Controls• Complexity of systems and projects• Controls built into software
![Page 8: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/8.jpg)
Secure Development Environment• “We need security? Then we’ll use SSL.”• “We need strong authentication? PKI will solve all our
problems.”• “We use a secret/military-grade encryption.”• “We had a hacking contest and no one broke it.”• “We have an excellent firewall.”• “We’ll add it later; let’s have the features first.”
![Page 9: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/9.jpg)
Secure Development: Physical• Protect source code
– From tampering– Pirating– Accidental loss– Protection against attacks
![Page 10: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/10.jpg)
Personnel Security• Hiring controls• Changes in employment• Protection of privacy from employees
– Privacy impact rating
![Page 11: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/11.jpg)
Separation of Test Datafrom Production
• Never test on a production system• Never use real data
![Page 12: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/12.jpg)
Software Development Methods• Waterfall• Spiral method• Clean-room• Structured Programming
Development
• Iterative development• Joint analysis development• Prototyping
![Page 13: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/13.jpg)
Software Development Methods (cont.)
• Modified prototype model• Exploratory model• Rapid application
development• Reuse model
• Computer aided software engineering
• Component-based development
• Extreme programming• Agile development
![Page 14: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/14.jpg)
Programming Language ExamplesInterpreted
• REXX• PostScript• Perl• Ruby• Python
Compiled• Fortran• COBOL• BASIC• Pascal• C• Ada• C++• Java• C#• Visual Basic
![Page 15: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/15.jpg)
Program Utilities• Assembler• Compiler• Interpreter
![Page 16: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/16.jpg)
Secure Coding Issues• Buffer overflow• SQL injections• Cross-site scripting XSS• Dangling pointer• Invalid hyperlink• Secure web applications• JavaScript attacks vs. sandbox• Application Programming Interface (API)• Open Source
![Page 17: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/17.jpg)
Application Security Principles• Validate all input and output• Fail secure (closed)• Fail safe• Make it simple• Defense in depth• Only as secure as your weakest link
![Page 18: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/18.jpg)
Object-oriented Programming• OOP concepts
– Classes– Objects– Message– Inheritance– Polymorphism– Polyinstantiation (term came from security)
![Page 19: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/19.jpg)
Domain Agenda• System Lifecycle Security• Applications Security Issues• Database Security
![Page 20: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/20.jpg)
Applications Security Issues• Building security in• Adding defense-in-depth
![Page 21: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/21.jpg)
Transaction Processing• Transaction
– Integrity– Availability– Confidentiality
![Page 22: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/22.jpg)
Malware and Attack Types• Injection• Input manipulation / malicious file execution• Brouthentication management• Cryptographic• Denial of service• Hijacking• Information disclosure• Infrastructure• Mis-configuration• Race condition
![Page 23: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/23.jpg)
Malware• Keystroke logging• Adware and spyware• SPAM• Phishing• Botnets• Remote access Trojan• URL manipulation• Maintenance hooks• Privileged programs
![Page 24: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/24.jpg)
Distributed Programming• Distributed Component Object Model (DCOM)• Simple Object Access Protocol (SOAP)• Common Object-Request Broker Architecture (CORBA)• Enterprise Java Beans (EJB)
![Page 25: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/25.jpg)
Domain Agenda• System Lifecycle Security• Applications Security Issues• Database Security
![Page 26: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/26.jpg)
Database Security• Database and data warehousing environment
– Eliminate duplication of data– Consistency of data– Network access
![Page 27: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/27.jpg)
Database Management Systems (DBMS) Models
• Hierarchical DBMS– Stores records in a single table– Parent/child relationships– Limited to a single tree– Difficult to link branches
![Page 28: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/28.jpg)
Relational DBMS Model• Most frequently used model• Data are structured in tables• Columns are “variables” (attributes)• Rows contain the specific instances (records) or data
![Page 29: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/29.jpg)
Data Warehouse• Consolidated view of enterprise data• Data mart• Designed to support decision making through data mining
![Page 30: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/30.jpg)
Knowledge Discovery in Databases (KDD)
• Methods of identifying patterns in data• KDD and AI techniques
– Probabilistic models– Statistical approach– Classification approach– Deviation and trend analysis– Neural networks– Expert system approach– Hybrid approach
![Page 31: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/31.jpg)
Database Security Issues• Inference• Aggregation• Unauthorized access• Improper modification of data• Metadata
• Query attacks• Bypass attacks• Interception of data• Web security• Data contamination• Polyinstantiation• Data mining
![Page 32: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/32.jpg)
Database Controls• Access controls• Grants• Cascading permissions• Lock controls• Backup and recovery
![Page 33: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/33.jpg)
View-based Access Controls• Constrained views• Sensitive data is hidden from unauthorized users• Controls located in the front-end application (user interface)
![Page 34: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/34.jpg)
Transaction Controls• Content-based access control• Commit statement• Three-phase commit• Database rollback• Journal / logs• Error controls
![Page 35: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/35.jpg)
The ACID Test• Atomicity• Consistency• Isolation• Durability
![Page 36: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/36.jpg)
Application and Database Languages: Security Issues
• Poorly designed• More privileges than necessary• DBA account use• Lack of audit• Input validation
![Page 37: Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) July 2013 Data and Applications Development Security](https://reader036.vdocument.in/reader036/viewer/2022062516/56649d985503460f94a82119/html5/thumbnails/37.jpg)
Database Interface Languages• Structured Query Language (SQL)• Open Database Connectivity (ODBC)• Extensible Markup Language (XML)• Object Linking and Embedding (OLE)• Active X Data Object (ADO)