ISC(2) CISSP Revision Notes – Software Development Security

Software Development, crucial to the world.  I am in no way a developer so these notes may be a little basic for most.

[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam.  These notes lack things completely that could be included on your exam.  I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning.  For further information see my CISSP Study and Exam Tips.[/alert]

ISC(2) CISSP Revision Notes – Study and Exam Tips
ISC(2) CISSP Revision Notes – Overarching Themes for the CISSP
ISC(2) CISSP Revision Notes – Access Control
ISC(2) CISSP Revision Notes – Business Continuity and Disaster Planning
ISC(2) CISSP Revision Notes – Cryptography
ISC(2) CISSP Revision Notes – Information Security Governance and Risk Management
ISC(2) CISSP Revision Notes – Legal, Regulatory, Investigations and Compliance
ISC(2) CISSP Revision Notes – Operations Security
ISC(2) CISSP Revision Notes – Security Architectural Design
ISC(2) CISSP Revision Notes – Software Development Security (You are here)
ISC(2) CISSP Revision Notes – Telecommunications and Network Security

Distributed Systems Security

Software Integrity: Maintain configuration of system

Data Integrity: Data is distributed then how do we make sure it’s synched?

Access Control: Objects and subjects

Agents/Mobile Code: Perform particular actions (eg HIDS)

Applets: Web based Java and ActiveX.  Java uses sandbox, ActiveX has keys to the kingdom

Object Orientated Environments

Behaviors: Objects receive a message

Class: Template that defines and object

Class Hierarchy: Tree structure and extensions

Delegation: To another class if required

Encapsulation: Inside an object is hidden

Inheritance: Obtains from a class

Instance: An initiated object

Message: How objects communicate

Method: Code in an object

Multiple Inheritance: From more than one class

Databases

DBMS: Contain Access Control

Security: Very granular controls

Aggregation: Combining multiple sources into something of high value

Data Dictionary: A database of databases

Data Warehouse: Business research tool, can also be used for fraud detection

Transactions: Actions which result in any activity of data, think SQL

Types of Databases

Hierarchical

Network (like hierarchical but with links between “cousins”)

Relational

Object

Knowledge Based Systems

Expert Systems

• Builds a database of post events (inputs and outcomes) and builds to predict outcomes
• Looks for relationships between events
• Fuzzy logic and certainty factors

Neural Networks

• Weighted inputs to determine outputs

Operating Systems

Process Management, Memory management, Interrupts, Hardware

User Interface: Graphical or command line

Authentication, Access Control, Process Isolation, Network, Communication, File System

Software Development Lifecycle (SDLC)

Ensure software performs it’s specified requirements

• Conceptual Definition: Description
• Functional Requirements: It should have x and y
• Functional Specifications: We can produce x and z
• Design: Drawing, plans, UML, etc
• Design Review: Yes go ahead
• Coding (Including Unit Testing):
• Code Review: Automated ot manual
• Unit Test: Test the individual components
• System Test: Completely test of all and test for vulnerabilities
• Certification & Accreditation:  Formal evaluation, ok to produce
• Maintenance: Change requests and documentation
• Change Management: Approving modifications to a production environment
• Configuration Management: Recording facts about the changes

Security Principals in Software Development

Requirements should include security

Security features in design

Test security

Implement securely

Ongoing testing

Application Security Controls

Process Isolation: Processes can’t view or modify others

Hardware Segmentation: Isolating functions to different platforms

Separation of Process: Least Privilege

Accountability

Abstraction: Blackboxes

Date Hiding: Encapsulation

System High Mode: Operates at higher levels of classification

Security Kernel: Relationships between objects

Reference Monitor: Checks permissions

SLAs: Time (availability, maintenance windows, etc), numbers of users, response and escalation

System Attack Methods

Malicious Code

• Viruses: Spread by copying onto existing executable
• Works: Attack vulnerable applications and replicate
• Rootkits: Hides on victim machine, avoids detection
• Trojan Horse:
• Hoaxes:
• Logic Bombs: Does damage when criteria is met
• Malicious Apps: See Java or ActiveX
• Trap Doors: Dangerous undocumented, eg “maintenance hooks”
• Hidden Code: Similar to the above but specifically hidden
• Injection Attacks: Not checking inputs
• SQL Injection: Not sanitizing inputs
• Cross-frame Scripts (XFS): Attempts to steal data from other frames in a browser
• Cross Site Scripting Attacks (XSS)
• Non Persistent: Must be sent a URL which will be clicked on
• Persistent: Places on a forum or somewhere that people will find
• Cross Site Request Forgery (CRSF): Links in email, eg phishing
• Escalation of Privilege:
• Denial of Service: (See Network)
• Brute Force/Dictionary Attack: Keep passwords complex
• Spoofing: eg fooling IP filters
• Spam:
• Social Engineering Phishing: Emails from banks
• Social Engineering Pharming: Attacks on a DNS environment to redirect
• Social Engineering Spear Phishing: Targeting phishing
• Social Engineering Whaling: Specific high impact targets (eg CEOs)
• Pseudo Flaw: “Scareware”
• Sniffing: Capturing network traffic for replay, analysis or brute force
• Traffic Analysis & Inference: Looking at network patterns
• Brute Force: Very time consuming, tried every combination of credentials

Antivirus

Signatures: Matches patterns (need to keep signature up to date)

Heuristic: Uses trends and analysis to spot malicious code

[alert style=”red”]In NO way should these notes be used as your sole source of study for the CISSP exam.  These notes lack things completely that could be included on your exam.  I in no way provide any guarantee or assurance that these notes are correct or satisfactory for your learning.  For further information see my CISSP Study and Exam Tips.[/alert]