ISC(2) CISSP Revision Notes – Software Development Security
Software Development, crucial to the world. I am in no way a developer so these notes may be a little basic for most.
[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam. These notes lack things completely that could be included on your exam. I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning. For further information see my CISSP Study and Exam Tips.[/alert]
ISC(2) CISSP Revision Notes – Study and Exam Tips
ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP
ISC(2) CISSP Revision Notes – Access Control
ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning
ISC(2) CISSP Revision Notes – Cryptography
ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management
ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance
ISC(2) CISSP Revision Notes – Operations Security
ISC(2) CISSP Revision Notes – Security Architectural Design
ISC(2) CISSP Revision Notes – Software Development Security (You are here)
ISC(2) CISSP Revision Notes – Telecommunications and Network Security
Distributed Systems Security
Software Integrity: Maintain configuration of system
Data Integrity: Data is distributed then how do we make sure it’s synched?
Access Control: Objects and subjects
Agents/Mobile Code: Perform particular actions (eg HIDS)
Applets: Web based Java and ActiveX. Java uses sandbox, ActiveX has keys to the kingdom
Object Orientated Environments
Behaviors: Objects receive a message
Class: Template that defines and object
Class Hierarchy: Tree structure and extensions
Delegation: To another class if required
Encapsulation: Inside an object is hidden
Inheritance: Obtains from a class
Instance: An initiated object
Message: How objects communicate
Method: Code in an object
Multiple Inheritance: From more than one class
Databases
DBMS: Contain Access Control
Security: Very granular controls
Aggregation: Combining multiple sources into something of high value
Data Dictionary: A database of databases
Data Warehouse: Business research tool, can also be used for fraud detection
Transactions: Actions which result in any activity of data, think SQL
Types of Databases
Hierarchical
Network (like hierarchical but with links between “cousins”)
Relational
Object
Knowledge Based Systems
Expert Systems
- Builds a database of post events (inputs and outcomes) and builds to predict outcomes
- Looks for relationships between events
- Fuzzy logic and certainty factors
Neural Networks
- Weighted inputs to determine outputs
Operating Systems
Process Management, Memory management, Interrupts, Hardware
User Interface: Graphical or command line
Authentication, Access Control, Process Isolation, Network, Communication, File System
Software Development Lifecycle (SDLC)
Ensure software performs it’s specified requirements
- Conceptual Definition: Description
- Functional Requirements: It should have x and y
- Functional Specifications: We can produce x and z
- Design: Drawing, plans, UML, etc
- Design Review: Yes go ahead
- Coding (Including Unit Testing):
- Code Review: Automated ot manual
- Unit Test: Test the individual components
- System Test: Completely test of all and test for vulnerabilities
- Certification & Accreditation: Formal evaluation, ok to produce
- Maintenance: Change requests and documentation
- Change Management: Approving modifications to a production environment
- Configuration Management: Recording facts about the changes
Security Principals in Software Development
Requirements should include security
Security features in design
Test security
Implement securely
Ongoing testing
Application Security Controls
Process Isolation: Processes can’t view or modify others
Hardware Segmentation: Isolating functions to different platforms
Separation of Process: Least Privilege
Accountability
Abstraction: Blackboxes
Date Hiding: Encapsulation
System High Mode: Operates at higher levels of classification
Security Kernel: Relationships between objects
Reference Monitor: Checks permissions
SLAs: Time (availability, maintenance windows, etc), numbers of users, response and escalation
System Attack Methods
Malicious Code
- Viruses: Spread by copying onto existing executable
- Works: Attack vulnerable applications and replicate
- Rootkits: Hides on victim machine, avoids detection
- Trojan Horse:
- Hoaxes:
- Logic Bombs: Does damage when criteria is met
- Malicious Apps: See Java or ActiveX
- Trap Doors: Dangerous undocumented, eg “maintenance hooks”
- Hidden Code: Similar to the above but specifically hidden
- Injection Attacks: Not checking inputs
- SQL Injection: Not sanitizing inputs
- Cross-frame Scripts (XFS): Attempts to steal data from other frames in a browser
- Cross Site Scripting Attacks (XSS)
- Non Persistent: Must be sent a URL which will be clicked on
- Persistent: Places on a forum or somewhere that people will find
- Cross Site Request Forgery (CRSF): Links in email, eg phishing
- Escalation of Privilege:
- Denial of Service: (See Network)
- Brute Force/Dictionary Attack: Keep passwords complex
- Spoofing: eg fooling IP filters
- Spam:
- Social Engineering Phishing: Emails from banks
- Social Engineering Pharming: Attacks on a DNS environment to redirect
- Social Engineering Spear Phishing: Targeting phishing
- Social Engineering Whaling: Specific high impact targets (eg CEOs)
- Pseudo Flaw: “Scareware”
- Sniffing: Capturing network traffic for replay, analysis or brute force
- Traffic Analysis & Inference: Looking at network patterns
- Brute Force: Very time consuming, tried every combination of credentials
Antivirus
Signatures: Matches patterns (need to keep signature up to date)
Heuristic: Uses trends and analysis to spot malicious code
[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam. These notes lack things completely that could be included on your exam. I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning. For further information see my CISSP Study and Exam Tips.[/alert]
2 Comments
[…] Operations Security ISC(2) CISSP Revision Notes – Security Architectural Design (You are here) ISC(2) CISSP Revision Notes – Software Development Security ISC(2) CISSP Revision Notes – Telecommunications and Network […]
[…] Notes – Operations Security ISC(2) CISSP Revision Notes – Security Architectural Design ISC(2) CISSP Revision Notes – Software Development Security ISC(2) CISSP Revision Notes – Telecommunications and Network […]