Cse notes

1. CSE18R264 - IT Application Security
Unit -1
Introduction to software development and application security

2. Software development requires the understanding of the following:
● Basics of software development.
● Essence of software development.
● Know how of software development.

3. Basics of Software Development
● The compound word software development has two parts, software plus development.
● software is a well-defined collection of computer programs.
● computer program is a well-defined collection of computer codes written in a programming language.
● A computer program is built using the concept of stacking and nesting of computer codes and the execution
of the codes is governed by the programming logic of sequence, selection, and repetition.
● The role of a computer program is basically to perform the desired task as coded by a computer
programmer, who is otherwise known as a software developer.
● A computer program thus enables a computer to take input, process it, and generate result(s) as output.
● A computer software, thereby, governs computer hardware and brings it to functionality.
● Without software a computer cannot perform data processing, number crunching, and web application
tasks that need the usage of Internet, servers, and electricity.

4. ● On the other hand, the second part development is the process of creating, improving, and advancing a
computer program in a logical manner adhering to the latest and improved algorithms and data structures
that consolidate a computer program.
● An optimized computer program minimizes time and space complexity, which needs innovation, research,
and endeavour from the software developer’s end.
● The art of computer programming is a wonderful, imaginative, and revered job that is ever appreciated by
humankind.
● Once a logical set up of the optimized computer programs are made and is consolidated as a software.
● It can be used for application or operating system purpose as it is intended.
● Therefore, the task of a software developer is to develop software for computer system that can act as an
operating system or can be tailor-made for a specific application such as web application, database
application, or custom application.
● Therewith, software development is a process of creating a new software or improving the existing software
that caters to the current needs of computing devices, organizations, groups, or individuals by planning,
designing, implementing, testing, and maintaining the developed software.

5. Essence of software development
The contemporary world has seen a paradigm shift from paper-based work environment to computer-based work
environment.
The need to provide and obtain information in the quickest possible manner gave impetus to information
technology.
Now you can see a world completely and universally reliant on the computing power of computers, group of
interconnected computers, and the worldwide group of interconnected computers therefrom constituting a
network such as intranet, extranet, and the Internet.
Software development is essential to provide an organisation the power to render information as an
embodiment of omnipresence, omniscience, and omnipotence to users.
Indeed, your search now has just transmigrated from the traditional library-based search to get hold of the
requisite books to obtain information to electronic-based search using the latest search engine that provides the
same and better search quality in a jiffy.
what is this search engine.

6. To your surprise search engines are nothing more than a software that performs a through search from the
humongous databases scattered world-wide to cater to what you need in your search result.
These search engines such as Bing, Yahoo, or Google basically does the task of searching content on the basis of
your keywords that you have typed on the search text box.
This might give you a perspective that when you need to know about an organisation, product, or anything you
desire you can by all means take the help of these search engines and obtain the result as information.
Now to make the searches visible the following things need to be done:
first make a web application promoting your company, its essence, and services;
second market your web application to make it search engine optimizable so that it can rank at the top of the
search list; last but not the least make your web application secure.

7. Knowhow of software development
Software development needs an in-depth understanding of programming languages,
involves a systematic approach for its development process, obligates the use of software development life
cycle, and development procedure by pursuing a standard and befitting software development methodology.
The choice of language depends upon the usage and requirements of the user, business, or computational
machine.
The programming languages as invented from the antiquity of computer generation to modernity are machine
language, assembly language, high level language, very high level language, and natural language.
Being a modern being you must follow the latest technology, Software development methodology, and the
future-ready programming language.
This will not only help you to develop state-of-the-art application software but also implement robust application
security
This will protect information from misuse, breaches, and tampering, thereby making information safe, secure,
and stable.

8. Now, after you have decided the language that you will use to develop the software.
You are also willing to take a systematic approach to develop the software, are ready to experience the software
development process through various phases as portrayed in the software development life cycle, to execute the
cutting-edge software development methodology; make a proposal document for the organization to which you
are developing the software.
Begin your journey of software development from the feasibility analysis by ensuring financial soundness and
technical feasibility of the proposed software development project.
Then proceed to the requirement analysis and specification so that you can understand the clienteles’
requirements and organize it in a working document.
There is no mathematical or logical approach to requirements gathering, nevertheless you can follow the
footsteps of experts through interviewing, questionnaires, observations, review of policies and records of the
organization, and creating crisp data flow diagrams or flowcharts to analyse the requirements of the business.

9. Application Security
Application security requires the understanding of the following:
● Fundamentals of application security.
● Nitty-gritties of application security.
● How-tos of application security.

10. Fundamentals of application security
Application security refers to the controls or countermeasures that are included within and applied to system and application software, which include operating
system and specific software developed for particular purpose such as web application, database application, etc.
Specialized security controls are required in database applications to manage security risks inherent in volume of data being handled, and for web applications
due to accessibility requirements that create risk of infiltration of information system.
During the software development life cycle, you must develop software in a secure and controlled manner so that the developed software should have
controls built to support the security goals of the organization.
The security risks that crop up in the software development discipline include malware, bugs, unseen vulnerabilities, and careless programming practices,
which form the major means for attackers to achieve unauthorized access, system intrusions, breaches of security and integrity, network misuse, and other
offensives.
In addition, improper processing impacts integrity that maintains the accuracy of data, development errors often create problems for availability that eases
users to access data correctly, and
This will protect the information for improper disclosure and protecting the secrecy and privacy of sensitive data that ensure confidentiality.

11. During the security system testing, you must perform application security testing to evaluate the controls over the application and process flow, which include
the application’s resistance to buffer overflow, usage of encryption to protect the confidentiality and integrity of application, user authentication, integrity of
the Internet user’s session with the host application, and use of cookies.
The vulnerability focus for secure software development include
input validation (IV),
sensitive data (SD),
authentication,
authorization,
configuration management (CM),
session management (SM),
cryptography, parameter manipulation (PM),
exception management (EM),
auditing and logging, which are the key areas where errors are most often committed.

12. Nitty-Gritties of application security
Application plays a vital role in imposing the security of the system through appropriate controls, edit checks, and audit trails.
Applications can incur challenges for software developers, graphic designers, and system architects if they want to create a robust application keeping security
perspective in mind.
In order to create the most secure and hack-resilient applications.
you need to build the application meeting all the current security needs.
If the application is not securely designed, then there will be concerns for its deployment as it can lead to security breaches.
When organizations offer access to core business functionality through web-based applications, new security vulnerabilities are introduced.
Even with a firewall and other monitoring systems, security can be endangered when data traffic must be permitted to pass via firewall.
Then you need to implement the concepts of application security to safeguard against security breaches.
As an information security professional, you must understand the application development environment in order to provide input and guidance for including
security controls into application development projects.

13. Application should be developed in a secure and controlled manner, and have controls built to support the security goals of the organization.
Some software such as malware have been deliberately developed to break the security of information systems, and this area requires particular study as
well.
Note that malware is not the only security risk in the software arena.
Bugs, unseen vulnerabilities, and careless programming practices are the major means for attackers to achieve unauthorized access, system intrusions,
breaches of security and integrity, network misuse, and other offensives.
In addition, improper processing destroys integrity and development errors often create problems for availability.
Software can be either a security weakness or a security strength.
Properly designed and implemented software can help enforce the accuracy of changes to data, ensure that data is not shared with unauthorized people,
ensure that the systems function correctly through balancing and reports, and track all access to data.

14. How-tos of application security
You need to apply sound design and architectural best practices, incorporate organization’s security policies and standards, and reflect on deployment
strategies in order to build a robust application.
Database applications, while a mature and established technology, have specialized requirements and security risks inherent in the volume of data being
manage.
Web applications also have specific risks, due to the accessibility requirements, which can have some of the major points of attack for penetration of
information system
Remember from computer and security architecture perspective, application versus operating system is a highly simplified view of the complexity of an actual
computer operation, and also that complexity is the enemy of security.
Note that software protection controls may be applied to any or all of the components, and that software development controls should be applied to all.

15. Also note that, with the complexity of the many components that can be involved in a given application, management and controls on the development of the
system are all the more important.
Systems and Software Development Projects rarely meet the expectations of the business and seldom integrate the required security principles into the final
product.
It is important that an organization follows good project management controls, which include a systems development methodology like Systems Development
Life Cycle (SDLC) that include the involvement of the business and the security department throughout the lifespan of the project.
This includes change management controls over the project to prevent uncontrolled changes to the project and the dangers of developing ‘scope’.
The complexity of business processes and systems today makes security more difficult than ever.
Many applications are built to interface with numerous backend systems or data sources – often through some form of Middleware.
The integration of data and systems makes the protection of data all the more difficult to ensure compliance with privacy regulations.

16. Basics of programming languages
Generations of programming languages are as shown below:
● First generation
● Machine language
● Second generation
● Assembly language
● Third generation
● High-level language
● Fourth generation
● Very high-level language
● Fifth generation
● Natural language
Programming languages were developed over the years and improved in both ease of use and increased
functionality.
This has made programming of an application much simpler but has also increased the risk due to ‘non-
professional’ programmers developing applications without security controls or following proper programming
practices.
All organizations have to ensure that they have proper backups of all software, as well as documentation of the
function of the software.

17. First generation:
Machine language is the first-generation programming language that uses binary codes in the form of bits comprising of series of 0s
& 1s, vacuum tubes as internal circuits for processing of codes, magnetic drums for storing coded data, and was prevalent in the
year 1940 to 1956.
Humans are not good at remembering numbers and hence this language was difficult for programmers to memorize the code,
understand the programming, and utilize the language with ease.
Second generation:
Assembly language is the second-generation programming language that uses mnemonic codes comprising of small words
representing commands such as ADD, MUL, SUB, JMP, MOV, DIV, etc., transistors for internal circuits for processing of codes,
magnetic tapes for storing of coded data, and was prevalent in the year 1956 to 1963.
Mnemonics though helpful to the programmer for coding and understanding but was not easy for general users.
Assembler extracts machine language code that computer understands from the assembly language program, thereby helping the
computer to execute the code.

18. Third generation:
High-level language is the third-generation programming language that uses human understandable traditional code for creating
programs such as while, if, etc.; integrated circuits for processing of programs; magnetic disk for storing coded data; and was
prevalent in the year 1964 to 1971.
The programming language has introduced the concept of control structures, data structures, machine independence of program
using compiler that can convert the program to machine dependent code for execution, etc.
Examples of high level language include C, Pascal, ADA, Algol, etc.
Fourth generation: C
Very high-level language is the fourth-generation programming language that uses declarative, object oriented, and English-like.
This was prevalent in the year 1971 to present.
The programming language focuses on what part rather than how part to perform the task. An example of very high-level language
includes SQL, Visual Basic, Lisp, etc.

19. Fifth generation:
Natural language is the fifth-generation programming language that currently uses artificial intelligence
technology and is presently used in various computing devices including mobile phones.
some of the famous current AI implementation includes Cortana from Microsoft, Google Now from Google, and
Siri from Apple.
The technology is in nascent stage and will continue to prevail for some time in the future.
The programming language utilizes particular algorithm to solve pertinent problems.

20. Compiled vs Interpreted
The programming languages are categorized as follows:
● Compiled language.
● Interpreted language.
● HTML, XML, and Active X.
Note that the choice of a programming language can have implications for security.
The programming languages are also categorized as
complied Language,
Interpreted Language, and
HTML, XML, & active X Language as discussed in the following topics:

21. Compiled Languages
A more human readable language that is the source code is translated to more optimized machine language, which is the machine
code. It may be argued that almost any language can be compiled.
● COBOL, Fortran: Common Business Oriented Language and Formula Translation are some of the original high-level
programming languages. The “goto” construct in Fortran is derided for contributing to unstructured “spaghetti” code.
● BASIC: Beginners All-purpose Symbolic Instruction Code as its name implies was designed for the non-technical person to be
able to write programs.
● Pascal: Modest, reliable, and effective programming language designed to teach systematic programming concepts, named
after the mathematician Blaise Pascal. The Pascal language enabled the programmer to define their own datatypes.
● C: Devised in 1972 by Dennis Ritchie as a system implementation language for the operating system named UNIX. The use of
strcpy in C leads to a tendency of buffer overflow conditions.
● Ada: Originally designed for embedded and real-time systems, which require a high degree of When compiled, if there are
ambiguities the compiler for Ada will most likely reject the code.

22. ● C++: Is an enhancement to “C with Classes” adding the following: exception handling, templates, multiple inheritance,
operator overloading, and virtual functions.
● Java: Java is a programming language designed, developed, and distributed by Sun Microsystems. The machine language is
extracted from the Java program via compilation. Java compiler converts source code into bytecode, which is the machine
code for a Java Virtual Machine.
● C#: Takes an opposite view of programming focusing architecture first and the syntax second. Most compiled languages are
written without consideration of the underlying architecture. C# focuses on the underlying Common Language
Infrastructure (CLI) specification. C# can be used on multiple computer platforms.
● Visual Basic: The goal of a visual programming language is to ease programmer in programming through visual or graphical
means incorporating the concepts of object oriented programming (OOP) language.

23. Interpreted language
● REXX: Restructured extended executor is a scripting language designed to be easy to read and lean.
● PostScript: Is a page description language for desktop publishing and laser printers developed by It solved
the crude dot matrix versus plotter printing problem.
● Perl: A scripting language originally developed for text manipulation. Its major strength is the programmer
supported community Comprehensive Perl Archive Network (CPAN). CPAN is the largest freely available
code library.
● Ruby: Where most scripting languages are optimized for speed on the computer, ruby is optimized for user
experience.
● Python: According to the author of Python Guido van Rossum, “Python is an interpreted, interactive,
object-oriented programming language.

24. HTML,XML and Active X
While these entities are related to programming, and some will refer to programming with them, they are not programming languages
as such.
● HTML: HTML is a language, but its use is for page layout and display.
● XML: XML defines the nature or characteristics of the data and what each piece of data means or It is actually used in
conjunction with other languages, such as HTML. A number of XML derived languages have security implications for web
applications.
● Active X: Active X is an underlying architecture that form the basis for high level software facilities including transmitting,
sharing, and retrieving data among various applications.
● The technology Component Object Model (COM) is used in Active X controls and has found niche in one of the operating
system of Microsoft: Windows CE.
● It is not really a programming language.
● Another Microsoft technology sometimes identified with programming is Object Linking and Embedding (OLE), which is a
data format.

25. Program Utilities
Program utilities include:
● Assembler
● Compiler
● Interpreter
● Hybrid
Assembler: Translates assembly language to machine language. There is a close correspondence between
assembly mnemonic codes and machine opcodes.
Compiler: “Translates a high-level language into machine language”.
Interpreter: “Instead of compiling a program at once, the interpreter translates it statement-by-statement”.

26. Program Utilities
Hybrid of compilation and interpretation:
There is also hybrid of compilation and interpretation.
Source code is compiled into an intermediate stage, similar to object, machine, or assembly code.
In Java, this is known as byte code.
The intermediate stage code is then interpreted as needed.
The intent of the two-step process is to provide for compatibility between systems, since machine code is platform specific.
The interpreter, the Java Virtual Machine in Java, is particular to each platform, but can handle the intermediate code produced on
any platform.
Java is not the only language to use this type of system.
It was implemented as long ago as the UCSD-p system for Pascal.

27. Programming concepts
Programming requires the knowledge of the following concepts:
● System model
● Von Neumann architecture
● Object Oriented Programming (OOP)
In modern, large-scale applications, the system model may be extremely complex.
The specifics of the source code, tools and configuration are vital in distinguishing the version or build of the program.
A common testing failure is improper specification of the system model to be tested, resulting in tests being performed on the wrong program.
System model: Instructions regarding source code files, development tools (such as compilers), and options to be used in creating the program or application.
Von Neumann architecture: Is now used so widely that it is sometimes thought to be the only architectural model.
In the Von Neumann architecture, there is no difference between data and code.
Code can be processed as data; data can be executed.
Malware can modify existing programs. Malformed input can inject data into locations where it will be executed as programming. Other architectures do exist,
such as the “Harvard Architecture” used and promoted by Howard Aiken.

28. Object -Oriented Programming(OOP)
The OOP concept is used in C++, which is the composite of C with object oriented programming features.
The basic merit of OOP is its code reusability that reduces development time and minimizes coding cost.
Now, if you are developing a program in a language that has the OOP built into it then you can be rest assured that the code that
you type in once can be used by you as well as other programmers and vice versa, making it runnable on multiple programs.
Various aspects of OOP can assist with security.
Data and functions can be hidden from the outside world.
However, functions may also be hidden from developers, so care must be used when relying on security protection in OOP. Objects are
encapsulated, possibly providing some security.
Objects have methods (code with interfaces) and attributes (data) encapsulated together. Three main items in OOP
● Classes.
● Message.
● Objects.

29. Three main features of OOP
Inheritance: “An object that is called by another object or program derives its data and functionality from the calling object”.
Polymorphism: Different objects may behave differently to the same command in different manners.
An object that is derived from class for which security has been defined may inherit its security characteristics or functions.
However, note that, due to polymorphism, the functions may not be fully secure in the object..
Polyinstantiation:
Creating a new version of an object by changing attributes.
May be used in support of security by removing data, or may be a risk due to removal of security features.
Poly instantiation is also the technique to control or stop the violations of inferences, thereby permitting numerous versions of the same data to numerous
classification levels.
This makes data hiding possible as users in lower level of classification are unaware of the data present in the higher level of classification level.

30. Distributed programming
Distributed programming can use any of the following four major protocols:
● Distributed Component Object Model (DCOM).
● Simple Object Access Protocol (SOAP).
● Common Object Request Broker Architecture (CORBA).
● Enterprise Java Beans (EJB).
Distributed programming:
Distributed programming requires abstract communication between hosts. Distributed computing entails programs located on
different cooperating in the same application.
Applications are divided into components; each can operate in a different location/platform. The four major protocols in use today are:
DCOM, SOAP, CORBA, and EJB.
Distributed Component Object Model (DCOM):
This protocol is used specifically by Microsoft and is the default protocol for Windows operating systems. The protocol’s security was
once compromised by the Blaster worm, which used DCOM to spread itself.

31. Service Oriented Architecture Protocol (SOAP): “SOAP Version 1.2 provide the definition of the XML-based information which can be
used for exchanging structured and typed information between peers in a decentralized, distributed environment.”
SOAP is a replacement of DCOM.
Common Object Request Broker Architecture (CORBA):
It is a platform neutral and an open set of standard. CORBA grants communication between applications irrespective of its storage
location.
It is based upon the Object Request Broker (ORB) concept, which creates the client/server relationship between objects.
Client can utilize ORB on the same computer or gain access to a network for searching and executing a method on a server object.
Note that CORBA, and Object Request Brokers in general, are examples of the reference monitor concept from security architecture,
applied to distributed systems.
Enterprise Java Beans (EJB):
EJB is a server side Java component that abstracts both the web server and the database; it serves a web application via a browser.
It places the security requirements on the server side.

32. Threats and malware
Threats and malware that affect the security of applications include:
● Buffer overflow
● Denial of service
● Race condition
● Data hiding
● Alternate data streams
● Non-technical
● Malformed input attacks
● SQL injection
● Unicode attack
● Executable content/mobile code
● Web applets
● Dynamic email
● Object reuse
● Garbage collection
● Trap door

33. Now that we have covered the basic concepts of application security, let’s look at the threats to our applications including malware.
Here is a list of some of the things you should understand at the end of this unit:
● Identify some common programming vulnerabilities.
● The need for development controls to prevent the deployment of software, databases, business processes, or networks containing vulnerabilities.
● Identify and describe common malware types.
● Choose controls appropriate for different types of malware.
Threats and malware that affect the security of applications include:

34. Buffer Overflow
Is the weakness of both poor coding practices and programming language (typically C or C++).
The buffer overflow is one the oldest and most common program vulnerabilities having existed almost since interactive computing began.
● Buffers are the memory containers for programs executed by computers.
● Programs in execution define the buffers they will use.
● The amount of data that is sent by the program to the buffer is unknown until the time of execution.
● Overview is the process of putting more than is expected into a container (buffer) which spills into some other place.
● When data overflows one buffer, it flows into another buffer or another program.
● The questions are: Where does the data go? What happens to the data that was in the second buffer?
● When an input is more than is expected, the program should reject the data gracefully.
● When the program does not reject the data gracefully, a buffer overflow occurs.
● Technically, to stop buffer overflows, you must check all bounds on array and pointer references for all executing code.
● Administratively: Bounds checking is an easy task for one programmer on one system, but to know how many other programs are running is difficult.
● When our computing environment is non-adversarial, users and programmers realize the mistake and perform their own reset.
● When our computing environment is adversarial, attackers will look for these flaws and use them as an opportunity to execute their code, thus taking
control of our computing resources.

35. Denial of service:
The result of another person or process consuming the resources on the system and thus limiting the resources for the use of others.
It is an attack against availability. Denial of service generally does not involve erasure or destruction of data or resources.
A DOS does not need to be complex, for example; invalid searches on website can cause a denial of service.
Race condition:
False assumption about the current state of program or a variable in a program that allows integrity to be reduced.
When two or more processes use the same resource, each process can falsify depending on the state of that resource being constant.
But each process can affect the resource.
For example: the glass is full of water and under an opaque box; whoever gets thirsty first drinks; the other assumes the glass to be full, and reaches for an empty
glass.
A particular type of race condition for file access is a Time of Check (TOC) to Time of Use (TOU).
Data hiding in digital warrens:
A local computer has many places for an adversary to hide information from normal view.
On classic definition digital warren is the slack space, which is the unused portion of the hard disk between the end of the file and the end of the file cluster.

36. Alternate data streams: Also called system forks, are additional hidden data associated with a file.
Most end-user applications will not show these files.
Non-technical threat: These threats such as legal and regulatory and privacy risk are addressed in the Legal, Regulatory, Compliance and investigation domain.
Malformed input attacks:
Malformed input, more generally known in security literature as malformed data, involves various means of getting illicit commands or packets through
defensive measures.
For example, denial of service packets that would normally be rejected by a firewall can be fragmented to the point that the firewall no longer recognizes the
individual fragments as malicious.
Commands (such as dir) can be sent to a web server in Unicode (%c0%af), which the server will properly interpret and act upon, but which a content filter may
not recognize as commands.
An attack using malformed input frequently involves commands or code that are somehow crafted to appear to be merely data, hence the name malformed
data.
The types of attacks are particularly prevalent in web applications.
Developers may use a shortcut in creating web pages by embedding SQL commands into an actual web link, in order to have commands passed to the supporting
application.

37. Attackers can view the source code, find such embedded commands, and modify them.
In an attempt to see what effect the modifications have on the application.
SQL and Unicode are by no means the only forms of data that can be used in this way.
The buffer overflow attack can be seen as a special case of malformed data.
SQL injection:
A type of attack in which intruder inserts a sequence of Structured Query Language (SQL) commands into an SQL statement.

38. Unicode attack: Unicode representations of control information may be passed by a firewall, but correctly (negatively) interpreted by the server.
Executable content/mobile code:
Code that is downloaded to the user’s machine and executed.
Running programs on a computer may give the program unexpected access to resources on the machine.
The idea of mobile code is termed by various names including executable content, remote code, mobile code, mobile agents, downloadable code, and active
capsules.
Execution of remote source code can be performed in local machines.
Agent software is generally differentiated from other forms of mobile code by additional autonomy of the program, and should, therefore, be subject to
additional controls.
Mobile code threats are implemented through the following:
Web applets:
Small programs written in Java, scripting languages, or Active X controls.
In regard to the web, note that Java applets are usually subject to a sandbox, whereas JavaScript has no such protection.
Dynamic email: Active scripts or links included in email messages. Dynamic email is particularly dangerous. Unless a specific need is demonstrated, it may be best
to have policies restricting the functions available within email and mail user agent (MUA) software.

39. Object reuse:
An object previously used for another application or information storage may contain sensitive residual data.
Note that objects may be physical (drive storage) or logical (memory or variable assignments).
Garbage collection:
De-allocation of storage following program execution. Garbage collection may be both good and bad.
Programs written in C must have specific functions for garbage collection and memory deallocation.
If this not done, the program may run out of memory. Programs written in Java have efficient garbage collection and more efficient memory use.
However, sometimes memory is re-assigned without being cleared, and, therefore, precautions must be taken to ensure confidential information is erased
immediately after use.
Trap door:
A mechanism embedded in a program that allows the normal security access procedures to be bypassed.
Another term for trap door is maintenance hook.
A maintenance hook typically deals with the O/S, while trap door is used for applications.

40. Importance of Software development lifecycle
Software development life cycle (SDLC) comprises of:
● Initiation phase
● System concept development phase
● Planning phase
● Requirements analysis phase
● Design phase
● Development phase
● Integration and test phase
● Implementation phase
● Operations and maintenance phase

41. Basics of Software Development life cycle
Disposition phase Many organizations have great development process in place that does not specifically address security. Either security is assumed or
forgotten. Many organizations use their own customized version of software development methodology. Irrespective of the development method being
followed, the software development life cycle (SDLC) possesses numerous important phases that can be presented separately or as unison. Different authors
name these phases differently depending on the project size. The important aspect is not the name or number of steps, but the fact of having a progressive
process that assists in managing development and detecting problems before they get too big. There are some diagrams that represent the cycle in
development in as little as 3 steps. This is the most expanded development model with 10 steps and is showcased as follows:
Initiate: A project initiates when there is a need in business. Once the need is known, a project manager is assigned to accomplish the task. The manager then
creates a concept proposal document to jot down the business needs. When concept proposal document is approved from the business, the working concept is
developed.
Conceptualize: After the project initiation stage is through, the built concept is analysed to answer whether the project is appropriate and feasible. The scope
of the project is streamlined via project boundary document that needs consent from senior officials. Next the funding for the project is acquired and then the
planning is initiated

42. Plan: Once the conceptualization phase is over, further advancement is incorporated in the concept document by detailing how the organization will operate
its business when the approved project is deployed and by judging how the project will effect employees and privacy of customers. In planning phase project
tools, schedules, activities, and resources are defined so that the project meets the client’s requirements on-time and within allotted finance. In addition, this
phase also incorporates accreditation activities, security certification, and high level vulnerability assessment by identification of project security
requirement.
Analyze Requirement: Once planning phase is by, user requirements in terms of functionality is determined and software performance, data, security, and
maintenance is accurately and precisely represented. The project requirements are defined to a level of sufficiency that will meet the system design
specification. Analysis of the requirement is performed in a holistic way by relating it to the business needs as recognized in the initiative phase and making it
testable and measurable.
Design: After requirement analysis phase is concluded, system’s physical characteristics is designed. In this phase the establishment of operating system
platform, determination of subsystems and their input and output, and allocation of resources to processes are performed. The identified subsystems form
the basis to create the comprehensive structure of the system. Partitioning of the subsystems into modules or units and preparation of in-depth logic
specification for each module is performed.

43. Develop: After the system specifications are documented in the design phase, it is translated into executable software, communications, and hardware. The
assembling and testing of the hardware is performed then the unit testing, integrating, and retesting of the software in undertaken.
Integration and Test: After the development phase is completed, the various modules of the system undergo integration and methodical testing. Users
perform functional testing as described in functional requirements document, which is referred for its complete realization. The system undergoes
accreditation activities and security certification stage prior to the deployment of the software in the production environment.
Implement: Once module integration and testing phase is finished, the developed software is installed on the client’s machines. The implementation phase
terminates after the deployed software is up and running with complete functionality as mentioned in the requirements document.
Operate and Maintenance: After the implementation phase operation and maintenance phase arrives, which is an ongoing process. In this phase, the deployed
software is supervised for functioning as presented in user’s requirement document and alternations required are noted. In-process review is done in order to
make the developed software effective, efficient, and satisfactory. The software re-enters planning phase when the alternation of the functionality is
mandatory.

44. Dispose: Once the software is accepted and operational in the production environment, the software development cycle is terminated gracefully by preserving
all the important data about the software for future purpose.
Detailed description of SDLC
● Project initiation and planning.
● Functional design definition.
● Detailed design specifications.
● Develop and document.
● Acceptance, testing and transition to production.
● Decommissioning/disposal.
● Critical data.
● Sanitize/destroy media.
● Software removal.

45. Project initiation and planning: The most important aspect to note here is that security should be involved from the very beginning of the project. And, as we
will see when dealing with development methods, work invested at this early stage will avoid problems and delays later in the process.
● Consider common attacks for this kind of application.
● Spanning Tree analysis.
● Determine risks and security requirements.
Functional design definition: Heed the fact that for each item in the development process, there is a corresponding security consideration. In fact, sometimes
we have to take more steps than the developers do. At this stage, we are considering abstract and sometimes formal security models and principles. We may
wish to apply separation of duties (to processes), least privilege, and possibly even need-to-know factors. Some input to the project may be based on analysis
such as:
● Risk analysis.
● Failure modes and effects analysis.
● Solutions and alternative designs.

46. Detailed design specifications: Consider, at this stage and later, error and exception handling possibilities. Design testing strategies, objectives, and specific
tests to be run against the application. In this phase flaw hypothesis method is used. It is a system penetration and analysis technique in which analyses of
documentation and specification is performed to hypothesize flaws. Prioritization of the flaws are set on the basis of the anticipated probability that the flaw is
present, on the simplicity of facing the flaw, and on the degree of compromise or control loss the flaw could put up.
Develop and document: Note the mention of documentation, which is often neglected in development. Perform code analysis during this phase: Possibly use
code review tools.
Acceptance, testing and transition to production: The critical element in this phase is testing the program before it is brought into full-line production.
Perform operational and destructive tests. Certification and Accreditation are the final steps involved in accepting the system as described in our section in
the Security Architecture domain. Obtained once the application is in operation. Note that one of the security requirements will be to have assurance (trust in
the proper operations of the controls and mitigation of risk), as well as functional, security mechanisms.
Decommissioning/disposal: Note the recommendations on media sanitizing from the security management domain and also the inverse positions on data
recovery in investigation.
Critical data: Data which is critically important to support business operations, must be protected from accidental destruction or erasure.

47. Sanitize/destroy media: Storage media that has contained sensitive data must be adequately protected – perhaps through overwriting or destruction to prevent
the unauthorized recovery of data.
Software removal: When software is to be removed from systems, make safe and certain that the software is not being used unexpectedly by other applications
and to ensure that software is removed from systems that are being decommissioned or sold off in order to prevent license violations.

48. Software development methods
There are numerous methods basis which software can be developed such as:
● Waterfall
● Spiral method
● Clean room
● Structured programming development
● Iterative development
● Joint analysis development
● Prototyping
● Modified Prototyping Model (MPM)
● Rapid Application Development (RAD)
● Reuse model
● Computer Aided Software Engineering (CASE)
● Component-based development
● Extreme programming
● Agile development

49. There are numerous software development methods that have been developed to meet the strict software development timeframe and unique requirements of
clients. The following list provides brief overview of some of the most essential methods. When applying, mixing or matching any of these methods to a project
ask if enough risk has been addressed to satisfy the stakeholders.
● Waterfall: This software development method is probably the erstwhile model and can be attributed to the early 1970’s great minds for its creation.
Each phase contains a list of milestones that need to be covered before the next phase initiates.
● Spiral method: This software development method is a bit peculiar from other methods owing to the fact that in this method each phase undergoes
risk assessment. This helps to predict the cost of completion of the project, and the revision of schedules is executed as per the outcome; thereby,
guiding the officials to decide whether to cancel or continue the project.
● Clean-room: This software development method focuses on preventing defect in contrast to removing defect and is followed to create high quality
software. This lets developer to writes perfect code at the first version and controls software bugs, thereby following the zero-defect approach to
software development. The development time is minimized by following the strategy of incremental development and code rework avoidance. Most of
the time is spent in the design phase rather than testing phase.

50. ● Structured programming development: This software development method focuses on the quality of the developed product in terms of security,
understandability, consistency, and freedom from software bugs. It mandates discipline, controlled flexibility, and introspection, which is achieved
through modularized programming, reviews and approvals in each phase, and defined processes, thereby permitting addition of security in a formalized
and structured manner.
● Iterative development: This software development method permits changes in the requirements of the software from the clients during the stages of its
development. It provides flexibility to make successive refinements in coding, designing, and need of the project. From the security perspective, iterative
method provides challenges to software developers in providing adequate security controls as the requirements, specifications, and designs changes.
● Joint Analysis Development (JAD): This software development method utilizes management process to assist software developers to work efficiently by
communicating with client at vital phases of the project. Joint analysis development technique brings together group of users, technical specialists,
coders, and designers during software development life cycle, thereby facilitating software development process.

51. ● Prototyping: This software development method’s objective is to create a prototype or a simplified version of an application, give it for review to the
client, utilize client’s feedback, and create an improved version incorporating the feedback. The procedure is repeated until the client accepts the
product. Prototyping involve beginning a concept, designing and making use of the starting prototype, improving until the prototype is in acceptance
stage, and finalizing the project and dispatching the final product.
● Modified Prototyping Model (MPM): This software development method permits for the simplest of the functionality required by system or component
to be installed in a short time frame.
● Exploratory model: This software development method focuses on creating a usable system by making assumption on system workability combined
with insights and suggestions on whatever is presently available to set requirements.
● Rapid Application Development (RAD): This software development method as the name suggests uses rapid prototyping, rapid software development
tools, and strict time frame in each phase to complete the project. One caveat in this methodology is that owing to the rapid decision making it may lead
to inadequate design works.
● Reuse model: This software development method as the name suggests uses existing components to build an application.

52. ● Computer Aided Software Engineering (CASE): This software development method uses computers for analysing, designing, developing, implementing,
testing, and maintaining software in a structured and systematic way. Software developers must undergo training in order to use CASE tool. Computer
aided software engineering is mainly used in complex, large, and multi-environment projects in which multiple software components and several people
are involved to work in a collaborated environment. Sharing of common view of the various stages of the software development by various participants
in the software development process is possible with the help of this tool. The tool also helps in organizing task, reusing designs and codes, reducing
software development cost, and improving software quality.
● Component-based development: This software development method uses standardized building blocks called components for assembling an
application rather than developing it. This method helps to develop the software in an economical and scheduled manner. Component-based
development uses the components that are encapsulated set of standardized data and methods for processing data.
● Extreme programming: This software development method uses a specific structure to accelerate and simplify the software development process. The
extreme programming (XP) team develops application for a particular purpose and are not worried about adding unasked functionalities that can
decelerate the development process, thereby making the progress of the software development simple and regularizing designing and testing.
● Agile development: This software development method uses a description of development with short development iterations to reduce risk.

53. Adherence to secure software development principles

54. Information security triad comprises of
● Confidentiality
● Integrity
● Availability

55. Information security triad
Application security primarily addresses the integrity part of the triad in an effort to maintain the accuracy of data. It also addresses the availability of the system
by protecting against malware that may waste system and network resources. The following figure shows information security triad:.
● Confidentiality: The application must ensure that access is only given to authorized people or processes. The program (application) must also ensure
that each user only gets access according to their privilege level. The application should limit the use of the application and data to the intended
purposes and covert channels and object reuse.
● Integrity: The application can often prevent the corruption of data through proper edit checks and controls. The application must also be written to
ensure the correct and complete processing of transactions. Malware may specifically target the integrity of the data.
● Availability: The whole purpose of an application security is to make it easy for users to access data correctly. The application must be written in such a
way as to provide the information promptly. Even when applications are used as intended if the application is not optimized for the number of users it
may fail.

56. Web application security principles
Web application security principles include:
● Validate all input and output.
● Fail secure (closed)
● Fail safe.
● Make it simple.
● Defence in depth.
● Only as secure as the weakest link.
● Security by obscurity.
● Do not cache secure pages.
● Industry standard encryption.
● Monitor third party code vendors for security alerts.
● Validate all data.
● Users data should be bound checked.

57. Validate all input and output: Both input and output should be validated. Only allow data known as valid.
Fail secure (closed): It is a design principle that make it compulsory that should anything fail, it should fail in such a way that it is secure rather
than failing and leaving everything open. An example is a firewall. Should the firewall software crash, all traffic should be disallowed rather than
allowed?
Fail safe (opened): It is a design principle that obligates that if a part of a system fails then the failure does not cascade to break down the entire
system, in particular the access of the rest of the system. Thus, the system fails open is good for availability, but not confidentiality.
Make it simple: If a security system is too complex, it will either not be used or users will find ways to bypass it. An example is a rigorous
password check where users have to write passwords down because they are too complex.

58. Defense in depth: The system should be designed in such a way that if one part of the system fails to catch the security breach the other part will, thereby
providing defense in depth.
Only as secure as the weakest link: Attackers will search for the link that can be easily breached in order to exploit it, therewith the system security is as strong
as the weakest link.
Security by obscurity: While obscuring information may give you some time, you are not actually protecting the information, just relying on luck that someone
won’t find it. This is not an acceptable security position.
Do not cache secure pages: When data is transmitted via HTTPS, the client side should not be configured to store the data.
Industry standard encryption: Such as AES should be used whenever possible.
Monitor third party code vendors for security alerts: All applications and operating system have security bulletins that must be reviewed on a continual basis.
Validated all data User data should be bounds checked: All partner data (third party) should be verified against known values.

59. Application design & development security
Application design & development security include:
● Secure design methodology.
● Secure development methodology.
● Security testing.
● Change control and configuration management.
● Certification and accreditation.
● Vulnerability response plan.

60. Secure design methodology: It includes list required skills by developers, attack surface analyst, threat modelling and security design review.
Secure development methodology: It should be used such as: assessment tools, check-in reviews, peer reviews, and version control of updates/configuration
changes.
Security testing: It should have predetermined criteria and testing methodology. Tools for security testing include: Static Scanners, Coverage tools, Control
coverage, Fuzzing and Penetration testing. Exceptions and error conditions should push the application past the data norms.
Change control and configuration management: For the application and the operating system, the application will reside or must be defined and moved from
known-good to known-good.
Certification: It is the technical evaluation of the system and the risk it poses to the environment accreditation is management’s acceptance of the risk of
operating system in the environment. C & A process must be clearly defined.
Vulnerability response plan: It is the vendor sided of patch management. When vulnerability is reported how is it handled? What validation is in place? What is
the update preparation, update notification, and update dispersal process? How does the user community find out? Is your local CERT/FIRST team notified? Are
your customers notified directly or via CVE?

61. Environment and controls
Security of the environment: It is controlled via physical controls.
Physical and logical separation of duties: It can be achieved with separate software interfaces.
Separation of production and development environments: It is performed by creating and using development sandbox with permissions limited to the
development team.
Retention of key personnel/knowledge: It is possible using good hiring practices.
Documentation of programs/systems/error handling: It is done by development team will aid next version development and vulnerability management.
Security and monitoring of off-hours access: It is another physical security control coupled with the access control systems; it will help in the event of an
investigation.
Preventing social engineering: Through routine awareness training, ensure that everyone is trained on proper procedures. Following established security
procedures. Following established security procedures is an excellent way to combat social engineering.

62. Essence of secure software development
Additional software protection mechanisms include:
● Cryptography.
● Access controls.
● Validation of external components.
● Backup and redundancy controls.
● Training.
● Transaction controls.
● Malicious code control.
● Documentation and common program.
● Testing and evaluation.
● Mobile code controls.
● Data contamination controls.
There are many protection mechanisms that are available and necessary for software. This list is not exhaustive, but it meant to indicate some of the more
common mechanisms, and prompt the candidate to remember and study others.

63. Cryptography: Cryptography can be used in a variety of ways: note the cryptography domain deals with authentication as well as the hiding of data. Cryptography
has been then the process of decryption, when the file is being used, will scramble the virus code, preventing intended operation (this does not guarantee the
integrity of the program operation, but will, at least, subvert the attack). Cryptography can be used for availability as well. If data files are protected by
encryption, then they may be made available in unsecured environments, where confidentiality might otherwise be compromised. Calculating a hash of a
program or patch may also prevent the malicious or accidental alteration of the software.
Access controls: Access controls may be installed at many levels, but not all are appropriate for all types of threats. Application level can have numerous access
controls installed, but this can open data to attacks by those working outside the specific application environment. Recall the issue of multiple paths to obtain
information, and ensure that access can be effectively controlled.
Validation of external components: The software that is used by the organization should be check.
Off-site & contract development: Any development by third parties does not transfer the risk. All business processes and contractual obligations must have
reviewed.
Purchased APIs and libraries: Any tools required to run applications should be a part of the change control process.

64. Open source: Open source software is often misunderstood as “free” software. The important concept is that with the source code for open source software is
available to the user or purchaser, whereas with most software only the executable or object code is available to the purchaser. The security implications are
debated, but most analysts feel that the ability for large numbers of users to examine the code results in systems with fewer unanticipated vulnerabilities.
. Phases of open source code development/release:
● Vendor makes source code available for examination, modification, extension.
● Various users may find and fix bugs.
● Attackers may find vulnerabilities.
● Disclosure (full/partial) is related.
Backup and redundancy controls: Providing backups of operating system and application software ensures programs are available in the event of an outage or
system crash. Purchased source code, or extra copies. Should be kept in escrow. Redundancy controls, in relation to backups and hardware redundancy, are
covered more fully in the purchaser of proprietary commercial software. Therefore, where the ability to update and extend the software is critical to an
enterprise, special arrangements may be made to have a third party hold a copy of the source code, in order to have the resource available in the event of failure
or bankruptcy on the part of the software vendor or developer (the availability of source code is another argument used to promote open source software).

65. Training: All staff on the development team for design, coding and testing must be trained to assume security is built-in and not bolted on.
Transaction controls: For databases controls such as: Database rollback, checkpoint/restart must be addressed. Application controls of field initialization &
reuse, temporary file / workspace clearing, and variable clearing must be reviewed.
Malicious code control: Subtypes include change detection, activity monitoring, and known signature scanning. These fundamental types of detection
systems are somewhat but not precisely similar to intrusion detection system (IDS) as mentioned in the access control domain. Note that these malware
detection categories were proposed by Fred Cohen in 1983, and that all subsequent malware detection schemes have been variations.
For example, a statistical-based, anomaly or rule-based, and signature-based IDS are present in change detection, scanner, and activity monitor system
respectively.
Documentation and common program controls: The “common” system components; that is, those used by everyone, have a particularly strong requirement for
security. However, it is a truism that “everybody’s job is nobody’s job.” Therefore, do not neglect protection of these items. Note that while user documentation
provides little risk, system documentation may indicate areas of weakness or suggest points of attack. Therefore, system documentation, and configuration
information, should be subject to controlled access.

66. Testing and evaluation: Testing is a necessary, but very complex art. Therefore, it may be much easier to ensure proper program development to begin with
than to set up a testing regimen that will identify all possible error situations. Note that testing is a part of certification, and also change management and
control, seen elsewhere in this domain.
Mobile code controls: Sandbox is the security control mechanism for mobile code. Its main functionality is protection and testing. In this mechanism an
unverified program/software is executed in a controlled environment thereby making the host computer free from any harmful consequences. Sandbox is
somewhat similar to virtualization in terms of the specific functionality of providing highly secured and restrained environment. The program executed in
sandbox can have setting for limiting the memory size and processor usage. This limitation allows the web server to terminate the program and generate an
error log when the executed program exceeds the allowed limits, thereby safeguarding the safety of server functionality.
Data contamination controls: Some forms of output control can be used in isolation, but many rely on comparisons with input data. Erroneous input may be
either deliberately malformed, as an attack, or the result of simple mistakes or carelessness. Both forms can be detrimental to correct operation or results

67. Auditing and assurance mechanism
Auditing and assurance mechanisms are:
● Information integrity.
● Information auditing.
● Malware assurance.
Assurance is important in all domains of security, but it is particularly important in regard to systems and application development. Since much of the protection
for information system resides in software utilities and functions, it is vital that we have full confidence that the software systems are operating as designed and
intended.
● Describe policies and techniques for system reliability and assurance.
● Identify special development situations and relevant mechanisms.
● Describe operations and acquisition management considerations and practices.
● Describe and understand change management principle.

68. Information integrity: Remember to provide checks for the integrity, consistency, and sanity of both input and output.
● Use cyclic counts for transactions, batch totals, hash totals, and balances.
● Compare what was processed against what was supposed to be processed.
● Check input accuracy; perform data validation and verification checks.
Information auditing: Auditing is important in a number of areas of security. It is not always easy to determine what information is relevant to the processing
of a particular system. In addition, it would be very easy, in auditing the flow of information, to bury yourself in data. These points should guide you on areas
to attend to.
● Log and audit any action that could affect the release of sensitive information.
● Level and type of auditing is dependent on the features of the installed software and the sensitivity of the data.
● Information on types of activities and who took the action.

69. Malware assurance: Effective and workable policies are one of the best protections against malware of all kinds.
Most malware is permitted entry, or even aided, by users running software from questionable sources. When reviewing anti-malware systems, remember
what the basic purpose is. Make the effectiveness of the system a prime consideration.
Do not place undue emphasis on ease of use or pretty system interfaces that mask a lack of basic operational effectiveness. As noted previously, automated
scanning is a good first line of defense, but is much less effective than manual scanning.
Manual scanning should be done regularly as a backup. Regularly check that your anti-malware systems are, in fact, operating. Many users like to rely on
disinfection to deal with malware: it seems a quick and easy solution.
Note, however, that disinfection is not always effective, and, in many cases, is not possible.
The preferred and safer method of dealing with malware is to detect all malware found, and replace infected items from a safe backup source. Activity
monitoring and auditing is particularly important on communication systems.
Monitoring of open ports and outgoing email may not prevent you from becoming infected, but it will often point out that you are infected or have a RAT or
zombie installed.

70. Make specific checks of your operating system, server, and protective software. Keeping patched and updated is an important part of malware protection.
Patch management is, itself, an important matter and will be discussed shortly. Note the mention of egress scanning. Certain types or volumes of outbound
traffic may indicate the presence of malware, even if regular scanning software does not detect it on individual machines.
Now that you have learnt the basic concepts of programming language & application security, let’s discuss in detail about - input validation & sensitive data - in
the next section, which arises due to bad software design and can create potential problem.