SlideShare a Scribd company logo

8. Software Development Security

Sam Bowne
Sam Bowne

For a CISSP class. More info: https://samsclass.info/125/125_S23.shtml

1 of 85
Download to read offline
CNIT 125:
Information Security
Professional
(CISSP
Preparation)
Ch 8. Software Development
Security
Updated 5-9-23
Programming Concepts
Machine Code, Source Code, and
Assembly Language
• Machine code
• Binary language built into CPU
• Source code
• Human-readable language like C
• Assembly Language
• Low-level commands one step above
machine language
• Commands like ADD, SUB, PUSH
Compilers, Interpreters, and Bytecode
• Compilers translate source code into
machine code
• Interpreters translate each line of code
into machine code on the fly while the
program runs
• Bytecode is an intermediary form
between source code and machine code,
ready to be executed in a Java Virtual
Machine
Procedural and Object-Oriented
Languages
• Procedural languages use subroutines,
procedures and functions
• Ex: C, FORTRAN
• Object-oriented languages define
abstract objects
• Have attributes and methods
• Can inherit properties from parent
objects
• Ex: C++, Ruby, Python
Metasploit Source Code
• Link Ch 9a

Recommended

CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
Tech presentation (part 1)
Tech presentation (part 1)Tech presentation (part 1)
Tech presentation (part 1)Abhijit Roy
 
Hpc lunch and learn
Hpc lunch and learnHpc lunch and learn
Hpc lunch and learnJohn D Almon
 
KYSUC - Keep Your Schema Under Control
KYSUC - Keep Your Schema Under ControlKYSUC - Keep Your Schema Under Control
KYSUC - Keep Your Schema Under ControlCoimbra JUG
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeFrancis Alexander
 
Introduction to CQRS - command and query responsibility segregation
Introduction to CQRS - command and query responsibility segregationIntroduction to CQRS - command and query responsibility segregation
Introduction to CQRS - command and query responsibility segregationAndrew Siemer
 

More Related Content

Similar to 8. Software Development Security

.Net programming with C#
.Net programming with C#.Net programming with C#
.Net programming with C#NguynSang29
 
Autoframework design
Autoframework designAutoframework design
Autoframework designForge Events
 
Distributed objects & components of corba
Distributed objects & components of corbaDistributed objects & components of corba
Distributed objects & components of corbaMayuresh Wadekar
 
Managing Applications in CodeIgniter
Managing Applications in CodeIgniterManaging Applications in CodeIgniter
Managing Applications in CodeIgniterJamshid Hashimi
 
SOLID Programming with Portable Class Libraries
SOLID Programming with Portable Class LibrariesSOLID Programming with Portable Class Libraries
SOLID Programming with Portable Class LibrariesVagif Abilov
 
Starting from scratch in 2017
Starting from scratch in 2017Starting from scratch in 2017
Starting from scratch in 2017Stefano Bonetta
 
Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...
Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...
Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...Lucas Jellema
 
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...Jean Vanderdonckt
 
Composable Software Architecture with Spring
Composable Software Architecture with SpringComposable Software Architecture with Spring
Composable Software Architecture with SpringSam Brannen
 
U-SQL - Azure Data Lake Analytics for Developers
U-SQL - Azure Data Lake Analytics for DevelopersU-SQL - Azure Data Lake Analytics for Developers
U-SQL - Azure Data Lake Analytics for DevelopersMichael Rys
 
Reactive Development: Commands, Actors and Events. Oh My!!
Reactive Development: Commands, Actors and Events.  Oh My!!Reactive Development: Commands, Actors and Events.  Oh My!!
Reactive Development: Commands, Actors and Events. Oh My!!David Hoerster
 
COMMitMDE'18: Eclipse Hawk: model repository querying as a service
COMMitMDE'18: Eclipse Hawk: model repository querying as a serviceCOMMitMDE'18: Eclipse Hawk: model repository querying as a service
COMMitMDE'18: Eclipse Hawk: model repository querying as a serviceAntonio García-Domínguez
 
DataFrames: The Extended Cut
DataFrames: The Extended CutDataFrames: The Extended Cut
DataFrames: The Extended CutWes McKinney
 
Open Source Tools and the Software Engineering Process
Open Source Tools and the Software Engineering ProcessOpen Source Tools and the Software Engineering Process
Open Source Tools and the Software Engineering ProcessSteve Arnold
 
DSD-INT 2020 Scripting a Delft-FEWS configuration - Verkade
DSD-INT 2020 Scripting a Delft-FEWS configuration - VerkadeDSD-INT 2020 Scripting a Delft-FEWS configuration - Verkade
DSD-INT 2020 Scripting a Delft-FEWS configuration - VerkadeDeltares
 
IBM InterConnect 2015 - IIB Effective Application Development
IBM InterConnect 2015 - IIB Effective Application DevelopmentIBM InterConnect 2015 - IIB Effective Application Development
IBM InterConnect 2015 - IIB Effective Application DevelopmentAndrew Coleman
 

Similar to 8. Software Development Security (20)

.Net programming with C#
.Net programming with C#.Net programming with C#
.Net programming with C#
 
Autoframework design
Autoframework designAutoframework design
Autoframework design
 
Distributed objects & components of corba
Distributed objects & components of corbaDistributed objects & components of corba
Distributed objects & components of corba
 
Why ruby and rails
Why ruby and railsWhy ruby and rails
Why ruby and rails
 
Managing Applications in CodeIgniter
Managing Applications in CodeIgniterManaging Applications in CodeIgniter
Managing Applications in CodeIgniter
 
Node.js
Node.jsNode.js
Node.js
 
SOLID Programming with Portable Class Libraries
SOLID Programming with Portable Class LibrariesSOLID Programming with Portable Class Libraries
SOLID Programming with Portable Class Libraries
 
Starting from scratch in 2017
Starting from scratch in 2017Starting from scratch in 2017
Starting from scratch in 2017
 
Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...
Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...
Introducing NoSQL and MongoDB to complement Relational Databases (AMIS SIG 14...
 
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
An Open Source Workbench for Prototyping Multimodal Interactions Based on Off...
 
Composable Software Architecture with Spring
Composable Software Architecture with SpringComposable Software Architecture with Spring
Composable Software Architecture with Spring
 
U-SQL - Azure Data Lake Analytics for Developers
U-SQL - Azure Data Lake Analytics for DevelopersU-SQL - Azure Data Lake Analytics for Developers
U-SQL - Azure Data Lake Analytics for Developers
 
Reactive Development: Commands, Actors and Events. Oh My!!
Reactive Development: Commands, Actors and Events.  Oh My!!Reactive Development: Commands, Actors and Events.  Oh My!!
Reactive Development: Commands, Actors and Events. Oh My!!
 
DataOps with Project Amaterasu
DataOps with Project AmaterasuDataOps with Project Amaterasu
DataOps with Project Amaterasu
 
COMMitMDE'18: Eclipse Hawk: model repository querying as a service
COMMitMDE'18: Eclipse Hawk: model repository querying as a serviceCOMMitMDE'18: Eclipse Hawk: model repository querying as a service
COMMitMDE'18: Eclipse Hawk: model repository querying as a service
 
DataFrames: The Extended Cut
DataFrames: The Extended CutDataFrames: The Extended Cut
DataFrames: The Extended Cut
 
Oracle OpenWo2014 review part 03 three_paa_s_database
Oracle OpenWo2014 review part 03 three_paa_s_databaseOracle OpenWo2014 review part 03 three_paa_s_database
Oracle OpenWo2014 review part 03 three_paa_s_database
 
Open Source Tools and the Software Engineering Process
Open Source Tools and the Software Engineering ProcessOpen Source Tools and the Software Engineering Process
Open Source Tools and the Software Engineering Process
 
DSD-INT 2020 Scripting a Delft-FEWS configuration - Verkade
DSD-INT 2020 Scripting a Delft-FEWS configuration - VerkadeDSD-INT 2020 Scripting a Delft-FEWS configuration - Verkade
DSD-INT 2020 Scripting a Delft-FEWS configuration - Verkade
 
IBM InterConnect 2015 - IIB Effective Application Development
IBM InterConnect 2015 - IIB Effective Application DevelopmentIBM InterConnect 2015 - IIB Effective Application Development
IBM InterConnect 2015 - IIB Effective Application Development
 

More from Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers Sam Bowne
 

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
 

Recently uploaded

Successful projects and failed programmes – the cost of not designing the who...
Successful projects and failed programmes – the cost of not designing the who...Successful projects and failed programmes – the cost of not designing the who...
Successful projects and failed programmes – the cost of not designing the who...Association for Project Management
 
Genetics, Heredity, Variation, history, its roles, Scope, Importance, and Bra...
Genetics, Heredity, Variation, history, its roles, Scope, Importance, and Bra...Genetics, Heredity, Variation, history, its roles, Scope, Importance, and Bra...
Genetics, Heredity, Variation, history, its roles, Scope, Importance, and Bra...AKSHAYMAGAR17
 
A Free eBook ~ Mental Exercise ...Puzzles to Analyze.pdf
A Free eBook ~ Mental Exercise ...Puzzles to Analyze.pdfA Free eBook ~ Mental Exercise ...Puzzles to Analyze.pdf
A Free eBook ~ Mental Exercise ...Puzzles to Analyze.pdfOH TEIK BIN
 
How To Create Record Rules in the Odoo 17
How To Create Record Rules in the Odoo 17How To Create Record Rules in the Odoo 17
How To Create Record Rules in the Odoo 17Celine George
 
Database Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,ViewDatabase Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,ViewDr-Dipali Meher
 
Decision on Curriculum Change Path: Towards Standards-Based Curriculum in Ghana
Decision on Curriculum Change Path: Towards Standards-Based Curriculum in GhanaDecision on Curriculum Change Path: Towards Standards-Based Curriculum in Ghana
Decision on Curriculum Change Path: Towards Standards-Based Curriculum in GhanaPrince Armah, PhD
 
Enhancing MRD Testing in Hematologic Malignancies: When Negativity is a Posit...
Enhancing MRD Testing in Hematologic Malignancies: When Negativity is a Posit...Enhancing MRD Testing in Hematologic Malignancies: When Negativity is a Posit...
Enhancing MRD Testing in Hematologic Malignancies: When Negativity is a Posit...i3 Health
 
Practical Research 1, Lesson 5: DESIGNING A RESEARCH PROJECT RELATED TO DAILY...
Practical Research 1, Lesson 5: DESIGNING A RESEARCH PROJECT RELATED TO DAILY...Practical Research 1, Lesson 5: DESIGNING A RESEARCH PROJECT RELATED TO DAILY...
Practical Research 1, Lesson 5: DESIGNING A RESEARCH PROJECT RELATED TO DAILY...Katherine Villaluna
 
2024-02-24_Session 1 - PMLE_UPDATED.pptx
2024-02-24_Session 1 - PMLE_UPDATED.pptx2024-02-24_Session 1 - PMLE_UPDATED.pptx
2024-02-24_Session 1 - PMLE_UPDATED.pptxgdgsurrey
 
Unit 5th topic Drugs used in congestive Heart failure and shock.pdf
Unit 5th topic Drugs used in congestive Heart failure and shock.pdfUnit 5th topic Drugs used in congestive Heart failure and shock.pdf
Unit 5th topic Drugs used in congestive Heart failure and shock.pdfSUMIT TIWARI
 
Can Brain Science Actually Help Make Your Training & Teaching "Stick"?
Can Brain Science Actually Help Make Your Training & Teaching "Stick"?Can Brain Science Actually Help Make Your Training & Teaching "Stick"?
Can Brain Science Actually Help Make Your Training & Teaching "Stick"?Aggregage
 
EmpTech Lesson 7 - Online Creation Tools, Platforms, and Applications for ICT...
EmpTech Lesson 7 - Online Creation Tools, Platforms, and Applications for ICT...EmpTech Lesson 7 - Online Creation Tools, Platforms, and Applications for ICT...
EmpTech Lesson 7 - Online Creation Tools, Platforms, and Applications for ICT...liera silvan
 
SSC Hindu Religion and Moral Education MCQ Solutions 2024.pdf
SSC Hindu Religion and Moral Education MCQ Solutions 2024.pdfSSC Hindu Religion and Moral Education MCQ Solutions 2024.pdf
SSC Hindu Religion and Moral Education MCQ Solutions 2024.pdfMohonDas
 
Understanding Canada's international higher education landscape (2024)
Understanding Canada's international higher education landscape (2024)Understanding Canada's international higher education landscape (2024)
Understanding Canada's international higher education landscape (2024)CaraSkikne1
 
Dr.M.Florence Dayana-Cloud Computing-Unit - 1.pdf
Dr.M.Florence Dayana-Cloud Computing-Unit - 1.pdfDr.M.Florence Dayana-Cloud Computing-Unit - 1.pdf
Dr.M.Florence Dayana-Cloud Computing-Unit - 1.pdfDr.Florence Dayana
 
Kartik Nair In Media Res Media Component
Kartik Nair In Media Res Media ComponentKartik Nair In Media Res Media Component
Kartik Nair In Media Res Media ComponentInMediaRes1
 
Permeation enhancer of Transdermal drug delivery system
Permeation enhancer of Transdermal drug delivery systemPermeation enhancer of Transdermal drug delivery system
Permeation enhancer of Transdermal drug delivery systemchetanpatil2572000
 
MEC MAJUBA SADDENED BY THE PASSING AWAY OF THREE TEACHERS FOLLOWING A CAR ACC...
MEC MAJUBA SADDENED BY THE PASSING AWAY OF THREE TEACHERS FOLLOWING A CAR ACC...MEC MAJUBA SADDENED BY THE PASSING AWAY OF THREE TEACHERS FOLLOWING A CAR ACC...
MEC MAJUBA SADDENED BY THE PASSING AWAY OF THREE TEACHERS FOLLOWING A CAR ACC...SABC News
 
Relational_Algebra_Calculus Operations.pdf
Relational_Algebra_Calculus Operations.pdfRelational_Algebra_Calculus Operations.pdf
Relational_Algebra_Calculus Operations.pdfChristalin Nelson
 

Recently uploaded (20)

Advance Mobile Application Development class 04
Advance Mobile Application Development class 04Advance Mobile Application Development class 04
Advance Mobile Application Development class 04
 
Successful projects and failed programmes – the cost of not designing the who...
Successful projects and failed programmes – the cost of not designing the who...Successful projects and failed programmes – the cost of not designing the who...
Successful projects and failed programmes – the cost of not designing the who...
 
Genetics, Heredity, Variation, history, its roles, Scope, Importance, and Bra...
Genetics, Heredity, Variation, history, its roles, Scope, Importance, and Bra...Genetics, Heredity, Variation, history, its roles, Scope, Importance, and Bra...
Genetics, Heredity, Variation, history, its roles, Scope, Importance, and Bra...
 
A Free eBook ~ Mental Exercise ...Puzzles to Analyze.pdf
A Free eBook ~ Mental Exercise ...Puzzles to Analyze.pdfA Free eBook ~ Mental Exercise ...Puzzles to Analyze.pdf
A Free eBook ~ Mental Exercise ...Puzzles to Analyze.pdf
 
How To Create Record Rules in the Odoo 17
How To Create Record Rules in the Odoo 17How To Create Record Rules in the Odoo 17
How To Create Record Rules in the Odoo 17
 
Database Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,ViewDatabase Security Methods, DAC, MAC,View
Database Security Methods, DAC, MAC,View
 
Decision on Curriculum Change Path: Towards Standards-Based Curriculum in Ghana
Decision on Curriculum Change Path: Towards Standards-Based Curriculum in GhanaDecision on Curriculum Change Path: Towards Standards-Based Curriculum in Ghana
Decision on Curriculum Change Path: Towards Standards-Based Curriculum in Ghana
 
Enhancing MRD Testing in Hematologic Malignancies: When Negativity is a Posit...
Enhancing MRD Testing in Hematologic Malignancies: When Negativity is a Posit...Enhancing MRD Testing in Hematologic Malignancies: When Negativity is a Posit...
Enhancing MRD Testing in Hematologic Malignancies: When Negativity is a Posit...
 
Practical Research 1, Lesson 5: DESIGNING A RESEARCH PROJECT RELATED TO DAILY...
Practical Research 1, Lesson 5: DESIGNING A RESEARCH PROJECT RELATED TO DAILY...Practical Research 1, Lesson 5: DESIGNING A RESEARCH PROJECT RELATED TO DAILY...
Practical Research 1, Lesson 5: DESIGNING A RESEARCH PROJECT RELATED TO DAILY...
 
2024-02-24_Session 1 - PMLE_UPDATED.pptx
2024-02-24_Session 1 - PMLE_UPDATED.pptx2024-02-24_Session 1 - PMLE_UPDATED.pptx
2024-02-24_Session 1 - PMLE_UPDATED.pptx
 
Unit 5th topic Drugs used in congestive Heart failure and shock.pdf
Unit 5th topic Drugs used in congestive Heart failure and shock.pdfUnit 5th topic Drugs used in congestive Heart failure and shock.pdf
Unit 5th topic Drugs used in congestive Heart failure and shock.pdf
 
Can Brain Science Actually Help Make Your Training & Teaching "Stick"?
Can Brain Science Actually Help Make Your Training & Teaching "Stick"?Can Brain Science Actually Help Make Your Training & Teaching "Stick"?
Can Brain Science Actually Help Make Your Training & Teaching "Stick"?
 
EmpTech Lesson 7 - Online Creation Tools, Platforms, and Applications for ICT...
EmpTech Lesson 7 - Online Creation Tools, Platforms, and Applications for ICT...EmpTech Lesson 7 - Online Creation Tools, Platforms, and Applications for ICT...
EmpTech Lesson 7 - Online Creation Tools, Platforms, and Applications for ICT...
 
SSC Hindu Religion and Moral Education MCQ Solutions 2024.pdf
SSC Hindu Religion and Moral Education MCQ Solutions 2024.pdfSSC Hindu Religion and Moral Education MCQ Solutions 2024.pdf
SSC Hindu Religion and Moral Education MCQ Solutions 2024.pdf
 
Understanding Canada's international higher education landscape (2024)
Understanding Canada's international higher education landscape (2024)Understanding Canada's international higher education landscape (2024)
Understanding Canada's international higher education landscape (2024)
 
Dr.M.Florence Dayana-Cloud Computing-Unit - 1.pdf
Dr.M.Florence Dayana-Cloud Computing-Unit - 1.pdfDr.M.Florence Dayana-Cloud Computing-Unit - 1.pdf
Dr.M.Florence Dayana-Cloud Computing-Unit - 1.pdf
 
Kartik Nair In Media Res Media Component
Kartik Nair In Media Res Media ComponentKartik Nair In Media Res Media Component
Kartik Nair In Media Res Media Component
 
Permeation enhancer of Transdermal drug delivery system
Permeation enhancer of Transdermal drug delivery systemPermeation enhancer of Transdermal drug delivery system
Permeation enhancer of Transdermal drug delivery system
 
MEC MAJUBA SADDENED BY THE PASSING AWAY OF THREE TEACHERS FOLLOWING A CAR ACC...
MEC MAJUBA SADDENED BY THE PASSING AWAY OF THREE TEACHERS FOLLOWING A CAR ACC...MEC MAJUBA SADDENED BY THE PASSING AWAY OF THREE TEACHERS FOLLOWING A CAR ACC...
MEC MAJUBA SADDENED BY THE PASSING AWAY OF THREE TEACHERS FOLLOWING A CAR ACC...
 
Relational_Algebra_Calculus Operations.pdf
Relational_Algebra_Calculus Operations.pdfRelational_Algebra_Calculus Operations.pdf
Relational_Algebra_Calculus Operations.pdf
 

8. Software Development Security

  • 1. CNIT 125: Information Security Professional (CISSP Preparation) Ch 8. Software Development Security Updated 5-9-23
  • 3. Machine Code, Source Code, and Assembly Language • Machine code • Binary language built into CPU • Source code • Human-readable language like C • Assembly Language • Low-level commands one step above machine language • Commands like ADD, SUB, PUSH
  • 4. Compilers, Interpreters, and Bytecode • Compilers translate source code into machine code • Interpreters translate each line of code into machine code on the fly while the program runs • Bytecode is an intermediary form between source code and machine code, ready to be executed in a Java Virtual Machine
  • 5. Procedural and Object-Oriented Languages • Procedural languages use subroutines, procedures and functions • Ex: C, FORTRAN • Object-oriented languages define abstract objects • Have attributes and methods • Can inherit properties from parent objects • Ex: C++, Ruby, Python
  • 8. Computer-Aided Software Engineering (CASE) • Programs assist in creation and maintenance of other programs • Three types • Tools: support one task • Workbenches: Integrate several tools • Environments: Support entire process • 4GL, object-oriented languages, and GUIs are used as components of CASE
  • 9. Top-Down vs. Bottom-Up Programming • Top-Down • Starts with high-level requirements • Common with procedural languages • Bottom-Up • Starts with low-level technical implementation details • Common with object-oriented languages
  • 10. Types of Publicly Released Software • Closed Source • Source code is confidential • Open Source • Free Software • May cost $0, or be open to modify • Freeware: costs $0 • Shareware: free trial period • Crippleware: limited free version
  • 11. Software Licensing • Public domain (free to use) • Proprietary software is copyrighted, and sometimes patented • EULA (End User License Agreement) • Open-source licenses • GNU Public License (GPL) • Berkeley Software Distribution (BSD) • Apache
  • 13. Waterfall Model • From 1969 • One-way • No iteration • Unrealistic
  • 16. Agile Software Development • Agile methods include Scrum and Extreme Programming (XP) • Agile Manifesto
  • 17. Scrum • Stop running the relay race • Doing only one step and handing off the project • Take up rugby • A team goes the distance as a unit
  • 18. Extreme Programming (XP) • Pairs of programmers work off a detailed specification • Constant communication with fellow programmers and customers
  • 19. Spiral • Many rounds • Each round is a project; may use waterfall model • Risk analysis performed for each round
  • 21. Rapid Application Development (RAD) • Goal: quickly meet business needs • Uses prototypes, "dummy" GUIs, and back-end databases
  • 22. Prototyping • Breaks projects into smaller tasks • Create multiple mockups (prototypes) • Customer sees realistic-looking results long before the final product is completed
  • 23. SDLC • Systems Development Life Cycle • or Software Development Life Cycle • Security included in every phase • NIST Special Publication 800-14
  • 24. SDLC Phases • Initiation • Development / Acquisition • Implementation • Operation • Disposal • Security plan should be first step
  • 25. SDLC Overview • Prepare security plan • Initiation: define need and purpose • Sensitivity Assessment • Development / Acquisition • Determine security requirements and incorporate them into specifications • Implementation • Install controls, security testing, accreditation
  • 26. SDLC Overview • Operation / Maintenance • Security operations and administration: backups, training, key management, etc. • Audits and monitoring • Disposal • Archiving • Media sanitization
  • 27. Integrated Product Teams • A customer-focused group that focuses on the entire lifecycle of a project • More agile than traditional hierarchical teams
  • 28. Software Escrow • Third party archives source code of proprietary software • Source code is revealed if the product is orphaned
  • 29. Code Repository Security • Like GitHub • Contents must be protected • Developers shouldn't publish code that contains secrets
  • 30. Security of Application Programming Interfaces (APIs) • API allows apps to use a service, like Facebook • API exploits abuse the API to compromise security
  • 32. Software Change and Configuration Management • Ensures that changes occur in an orderly fashion, and don't harm security • NIST SP 80-128 describes a Configuration Management Plan (CMP) • Configuration Control Board (CCB) • Configuration Item Identification • Configuration Change Control • Configuration Monitoring
  • 33. DevOps • Old system had strict separation of duties between developers, quality assurance, and production • DevOps is more agile, with everyone working together in the entire service lifecycle
  • 34. Ch 8a
  • 36. Database • Structured collection of data • Databases allow • Queries (searches) • Insertions • Deletions • Database Management Systems (DBMS) • Controls all access to the database • Enforces database security
  • 37. Database Concepts • Database Administrator (DBA) • Query language • Ex: Structured Query Language (SQL) • Inference attack • Enumerating low-privilege data to find missing items, which must be high-privilege • Aggregation attack • Combining many low-privilege records to deduce high-privilege data
  • 38. Types of Databases • Relational • Hierarchical • Object-oriented • Flat file • Simple text file
  • 40. Relational Database Terms • Tables have rows (records or tuples) and columns (fields or attributes) • Primary Key field is guaranteed to be unique, like a SSN • Foreign key is a field in another table that matched the primary key • Join connects two tables by a matching field
  • 41. Integrity • Referential Integrity • Foreign keys match primary keys • Semantic Integrity • Field values match data type (no letters in numerical fields) • Entity Integrity • Each tuple has a non-null primary key
  • 44. Database Views • Contained user interface • Shows only some data and options • Like a PoS (Point of Sale) device
  • 45. Data Dictionary • Describes the tables • This is metadata -- data about data • Database schema • Describes the attributes and values of the tables
  • 47. Query Languages • Two subsets of commands • Data Definition Language (DDL) • Data Manipulation Language (DML) • Structured Query Language (SQL) is the most common query language • Many types • MySQL, ANSI SQL (used by Microsoft), PL/SQL (Procedural Language/SQL, used by Oracle), and more
  • 48. Common SQL Commands • SELECT * FROM Employees WHERE Title = "DETECTIVE"
  • 50. Object-Oriented Databases • Combines data and functions in an object-oriented framework • Uses Object Oriented Programming (OOP) • and Object Database Management System (OBMS)
  • 51. Database Integrity • Mitigate unauthorized data modification • Two users may attempt to change the same record simultaneously • The DBMS attempts to commit an update • If the commit is unsuccessful, the DBMS can rollback and restore from a save point • Database journal logs all transactions
  • 52. Database Replication and Shadowing • Highly Available (HA) databases • Multiple servers • Multiple copies of tables • Database replication • Mirrors a live database • Original and copy are in use, serving clients • Shadow database • Live backup, not used
  • 53. Data Warehousing and Data Mining • Data Warehouse • A large collection of data • Terabytes (1000 GB) • Petabytes (1000 TB) • Data Mining • Searching for patterns • Ex: finding credit card fraud
  • 55. Object-Oriented Programming (OOP) • A program is a series of connected objects that communicate via messages • Ex: Java, C++, Smalltalk, Ruby • Objects contain data and methods • Objects provide data hiding • Internal structure not visible from the outside • Also called encapsulation
  • 56. Object-Oriented Programming Concepts • Objects • Methods • Messages • Inheritance • Delegation • Polymorphism • Polyinstantiation
  • 57. Example • Addy is an object • It has a method of addition • Input message is "1+2" • Output message is "3"
  • 58. Delegation and Polymorphism Polymorphism: the same "Addy" could process integers and string inputs
  • 59. Polyinstantiation • Multiple records for the same primary key, with different clearance levels
  • 60. Object Request Brokers (ORBs) • Middleware • Connect programs to other programs • Object search engines • Common ORBs • COM, DCOM, CORBA
  • 61. COM and DCOM • Component Object Model • Distributed Component Object Model • From Microsoft • Allows objects written in different OOP languages to communicate • Assemble a program by connecting components together like puzzle pieces • Includes ActiveX objects and Object Linking and Embedding (OLE) • COM and DCOM are being supplanted by Microsoft.NET
  • 62. CORBA • Common Object Request Broker Architecture • Open vendor-neutral framework • Competes with Microsoft's proprietary DCOM • Objects communicate via Interface Definition Language (IDL)
  • 63. Object-Oriented Analysis (OOA) & Object-Oriented Design (OOD) • Object-Oriented Analysis (OOA) • Analyzes a problem domain • Identifies all objects and interactions • Object-Oriented Design (OOD) • Then develops the solution
  • 65. Ch 8b
  • 66. Assessing the Effectiveness of Software Security
  • 67. Software Vulnerabilities • 15-50 errors per 1000 lines of code • Windows Vista has 50 million lines of code
  • 68. Types of Software Vulnerabilities • Hard-coded credentials • Buffer overflow • SQL injection • Directory path traversal • PHP Remote File Inclusion
  • 69. Buffer Overflow • Program reserves space for a variable • Ex: name[20] • User submits data that's too long to fit • Data written beyond the reserved space and corrupts memory • Can lead to Remote Code Execution
  • 70. TOCTOU / Race Conditions • Time of Check/Time of Use (TOCTOU) attacks (also called Race Conditions) • A brief time of vulnerability • Attacker needs to "win the race"
  • 71. Cross-Site Scripting (XSS) • Insert Javascript into a page • For example, a comment box • The code executes on another user's machine • BeEF (Browser Exploitation Framework) • Allows an attacker to control targets' browsers
  • 72. Cross-Site Request Forgery (CSRF) • Trick a user into executing an unintended action • With a malicious URL • Or by using a stolen cookie
  • 73. Privilege Escalation • Vertical escalation • Attacker increases privilege level • To "Administrator", "root", or "SYSTEM" • Horizontal escalation • To another user's account
  • 74. Backdoor • Shortcut into a system, bypassing security checks like username/password • May be through exploiting a vulnerability • Or a backdoor account left in the system by its developer
  • 75. Disclosure • Actions taken by a security researcher after finding a software vulnerability • Full Disclosure • Release all details publicly • Responsible Disclosure • Tell vendor privately • Give them time to patch it
  • 76. Software Capability Maturity Model (CMM) • From Carnegie Mellon • A methodical framework for creating quality software
  • 77. Five Levels of CMM 1. Initial - ad-hoc & chaotic • Depends on individual effort 2. Repeatable - basic project management 3. Defined • Documented standardized process 4. Managed • Controlled, measured process & quality 5. Optimizing • Continual process improvement
  • 78. Acceptance Testing • ISTQB (International Software Testing Qualifications Board) has 4 levels • User acceptance test • Operational acceptance test • Contract acceptance testing • Compliance acceptance testing
  • 79. Security Impact of Acquired Software • Commercial Off-the-Shelf (COTS) Software • Compare vendor claims with third-party research • Consider vendors going out of business, and support • Custom-Developed Third Party Products • Service Level Agreements (SLA) are vital
  • 81. Expert Systems • Two components • Knowledge Base • If/then statements • Contain rules that the expert system uses to make decisions • Inference Engine • Follows the tree formed by the knowledge base
  • 82. Multi-Layer Artificial Neural Network • Simulates real brains
  • 83. Bayesian Filtering • Looks for probabilities of words in spam v. good email
  • 84. Genetic Algorithms and Programming • Simulates evolution
  • 85. Ch 8c