CISSP Prep- Application Security

Security activities should be done in parallel with project initiation
activities and, indeed, with every task throughout the project. Page 182.

Audit logs can be used to fi nd out who (identity) did what
(action), when (timestamp), and where (objects or resources aff ected) and are therefore
detective in nature. Page 245.

A Web site that allows users to input information for later
retrieval by other users, such as a guestbook comment page or blog, without
proper input validation, may fail to detect when such input comes in is in the
form of active scripting. Without appropriate output encoding, the script can
be actively read and executed by the browser causing denial of service (Web
site defacement) or other serious impacts. Th is is the basis of cross-site scripting
attacks. Page 177.

Th e objective of application security is to make sure that the
system and its resources are available when needed, that the integrity of the processing
of the data and the data itself are ensured, and that the confi dentiality of
the data is protected. All of these purposes rely upon secure, consistent, reliable,
and properly operating software. Ensuring confi dentiality, integrity, and availability
will mitigate the chances and impact of a hacking incident or data theft,
but it must be recognized that total hacker proof software is utopian. Auditing
(logging) functionality in software can help with detecting software and user
activity, but this is not the key objective of application security. Software security
controls can reduce the likelihood of data theft but they are not necessarily
preventative. Page 164.

A variant on the concept of logic bombs involves what is known
as the salami scam. Th e basic idea involves siphoning off small amounts of money
(in some versions, fractions of a cent) credited to a specifi c account, over a large
number of transactions. Pranks are very much a part of the computer culture, so
much so that you can now buy commercially produced joke packages that allow
you to perform “stupid Mac (or PC or Windows) tricks.” Hoaxes use an odd kind
of social engineering, relying on people’s naturally gregarious nature and desire to
communicate, and on a sense of urgency and importance, using the ambition that
people have to be the fi rst to provide important new information. Page 224.

Social engineering is the art of getting people to divulge sensitive
information to others either in a friendly manner, as an attempt to be “helpful,”
or through intimidation. Phishing is the form of social engineering using electronic
means such as e-mail. Shoulder surfi ng is a disclosure attack wherein, you stand
over the shoulders of someone and read the sensitive information they are viewing.
Masking of information (asterisking password) can mitigate shoulder surfi ng.
Dumpster diving is another disclosure attack in which dumpsters are searched to
glean sensitive information. Page 178.

TOC/TOU is a common type of attack that occurs when
some control changes between the time that the system security functions check
the contents of variables and the time the variables actually are used during operations.
For instance, a user logs on to a system in the morning and later is fi red. As a
result of the termination, the security administrator removes the user from the user
database. Because the user did not log off , he or she still has access to the system
and might try to get even. Logic bombs are software modules set up to run in a
quiescent state, but to monitor for a specifi c condition or set of conditions and to
activate their payload under those conditions. Remote-access trojans are malicious
programs designed to be installed, usually remotely, after systems are installed and
working. Phishing attempts to get the user to provide information that will be useful
for identity theft-type frauds. Pages 178–179.

One of the control mechanisms for mobile code is the sandbox.
Th e sandbox provides a protective area for program execution. Limits are placed on the
amount of memory and processor resources the program can consume. If the program
exceeds these limits, the Web browser terminates the process and logs an error code.
Th is can ensure the safety of the browser’s performance. Non-repudiation is a security
control mechanism in which the user or process cannot deny its action. Separation of
duties is about ensuring that a security policy cannot be violated by a single user or
process. Obfuscation is the process of rendering source code to be unreadable and
unintelligible as a protection against reversing and IP issues. Pages 209–210.

A Trojan is a program that pretends to do one thing while performing
another, unwanted action. A Trojan does not reproduce itself as do worms
and viruses in order to spread. A trapdoor or backdoor is a hidden mechanism
that bypasses access control measures. It is an entry point into a program that is
inserted in software by programmers during the program’s development to provide
a method of gaining access into the program for modifi cation if the access control
mechanism malfunctions and locks them out. Developers often refer to them as
maintenance hooks. Page 217.

A view is a feature that allows for virtual tables in a database;
these virtual tables are created from one or more real tables in the database. For
example, a view can be set up for each user (or group of users) on the system so that
the user can then only view those virtual tables (or views). Encryption, hashing,
and masking can all provide confi dentiality as well, but for databases, views based
access control which is a content dependent access control mechanism is the best
answer. Page 236.

A fundamental aspect of von Neumann architecture on which
most computers today are based on is that there is no inherent diff erence between
data and programming (instructions) representations in memory. Th erefore, we
cannot tell whether the pattern 4Eh (00101110) is the letter N or a decrement operation
code (commonly known as opcode). Similarly, the pattern 72h (01110010)
may be the letter r or the fi rst byte of the “jump if below” opcode. Th erefore, without
proper input validation, an attacker can provide input data that may actually
be an instruction for the system to do something unintended. Linus’ law basically
is based on the premise that with more people reviewing the source code (as in
the case of open source), more security bugs can be detected and hence improve
security. Clark and Wilson model is an integrity model from which entity and
referential integrity (RDBMS integrity) rules are derived. Bell–LaPadula is a confi
dentiality model. Page 168.

Certifi cation is the process of evaluating the security stance of
the software or system against a predetermined set of security standards or policies.
Management, after reviewing the certifi cation, authorizes the software or system
to be implemented in a production status, in a specifi c environment, for a specifi c
period. Th ere are two types of accreditation: provisional and full. Management
approval is known as accreditation. Pages 185–186.

ACID test, which stands for atomicity, consistency, isolation,
and durability, is an important DBMS concept. Atomicity is when all the parts of
a transaction’s execution are either all committed or all rolled back—do it all or
not at all. Essentially, all changes take eff ect, or none do. Consistency occurs when
the database is transformed from one valid state to another valid state. A transaction
is allowed only if it follows user-defi ned integrity constraints. Illegal transactions
are not allowed, and if an integrity constraint cannot be satisfi ed, the
transaction is rolled back to its previously valid state and the user is informed
that the transaction has failed. Isolation is the process guaranteeing the results of
a transaction are invisible to other transactions until the transaction is complete.
Durability ensures the results of a completed transaction are permanent and can
survive future system and media failures, that is, once they are done, they cannot
be undone. Th is is similar to transaction persistence. Page 249.

Th e underlying foundation of software security controls
is the organization’s security policy. Th e security policy refl ects the security
requirements of the organization. Th e identifi cation of regulatory and compliance
requirements such as Sarbanes–Oxley (SOX), payment card industry data
security standard (PCIDSS) are essential and must be factored into the security
policy. Without a clear understanding of what the security requirements are, as
defi ned in the security policy, educating software development teams may potentially
be still inadequate. Testing for security vulnerability can provide some
degree of software assurance, but with newer kinds of attacks against software
being discovered, security testing does not directly indicate the eff ectiveness of an
application security program. Page 165.

A programming language like Java compiles source code into
a sort of pseudo-object code called bytecode. Th e bytecode is then processed by the
interpreter (called the Java Virtual Machine, or JVM) for the CPU to run. Because
the bytecode is already fairly close to object code, the interpretation process is much
faster than for other interpreted languages. And because bytecode is still undergoing
an interpretation, a given Java program will run on any machine that has a
JVM. Memory management and sandboxing are important security aspects that
apply to the programming language Java, but not to bytecode itself. Th e debate over
whether a pseudo-object (bytecode) representation can be easily reverse engineered
is debatable and inconclusive. Because bytecode is more pseudo-object representation
of the source code, reversing to source code is in fact considered less diffi cult
than from object or executable code. Page 171.

A covert channel or confi nement problem is an information
fl ow issue. It is a communication channel allowing two cooperating processes to
transfer information in such a way that it violates the system’s security policy. Th ere
are two types of covert channels, viz. storage and timing. A covert storage channel
involves the direct or indirect reading of a storage location by one process and a
direct or indirect reading of the same storage location by another process. Typically,
a covert storage channel involves a fi nite resource, such as a memory location or sector
on a disk that is shared by two subjects at diff erent security levels. Th is scenario
is a description of a covert storage channel. A covert timing channel depends upon
being able to infl uence the rate that some other process is able to acquire resources,
such as the CPU, memory, or I/O devices. Covert channels as opposed to what
should be the case (overt channels) could lead to denial of service and object reuse
has to do with disclosure protection when objects in memory are reused by diff erent
processes. Pages 175–176.

In cleanroom software development methodology, the goal
is to write code correctly the fi rst time, rather than trying to fi nd the problems
once they are there. Essentially, it focuses on defect prevention rather than defect
removal. Th e waterfall methodology is extremely structured and its key distinguishing
characteristic is that each phase (stage) must be completed before moving
on to the next, in order to prevent ad hoc scope creep. A distinguishing feature
of the spiral model is that in each phase of the waterfall there are four substages,
based on the common Deming PDCA (Plan-Do-Check-Act) model; in particular,
a risk assessment review (Check). CASE is the technique of using computers and
computer utilities to help with the systematic analysis, design, development, implementation,
and maintenance of software. Page 188.

Th e expert system uses a knowledge base (a collection of
all the data, or knowledge, on a particular matter) and a set of algorithms or
rules that infer new facts from knowledge and incoming data. Th e knowledge
base could be the human experience that is available in an organization. Because
the system reacts to a set of rules, if the rules are faulty, the response will also
be faulty. Also, because human decision is removed from the point of action, if
an error were to occur, the reaction time from a human would be longer. Pages
253–254.

Aggregation is the ability to combine nonsensitive data from
separate sources to create sensitive information. For example, a user takes two
or more unclassifi ed pieces of data and combines them to form a classifi ed piece
of data that then becomes unauthorized for that user. Th us, the combined data
sensitivity can be greater than the classifi cation of individual parts. Inference
is the ability to deduce (infer) sensitive or restricted information from observing
available information. Essentially, users may be able to determine unauthorized
information from what information they can access and may never need to
directly access unauthorized data. For example, if a user is reviewing authorized
information about patients, such as the medications they have been prescribed,
the user may be able to determine the illness. Inference is one of the hardest
threats to control. All of the other attacks are primarily attacks on Web applications.
Pages 245–246.

A software librarian ensures program or data library is controlled
in accordance with policy and procedures. Page 184.

Th e use on non-predictable (randomized) and unique identifi
ers to identify sessions between two communicating parties is the best defense
against session hijacking and man-in-the-middle attacks. Encryption provides disclosure
protection. Prepared statements or procedures at the database layer, reduces
the likelihood of injection attacks. A database view is a preventive security control
measure against disclosure attacks. Page 256.

Buff er overfl ows can result when a program fi lls up the assigned
buff er of memory with more data than its buff er can hold. When the program
begins to write beyond the end of the buff er, the program’s execution path can be
changed, or data can be written into areas used by the operating system itself. A
buff er overfl ow is caused by improper (or lacking) bounds checking on input to a
program. By checking for the bounds (boundaries) of allowable input size, buff er
overfl ow can be mitigated. Disallowing dynamic construction of queries is a defense
against injection attacks and encoding the output mitigates scripting attacks. Th e
collection of dangling objects in memory (garbage) can be requested but not necessarily
forced and proper memory management can help mitigate buff er overfl ow
attacks, but the most eff ective defenses against buff er overfl ow is bounds checking
and proper error checking. Pages 174–175.