Application Security

© 2007 NetSol Technologies, Inc. All rights reserved
Application Security
by:
M. Faisal Naqvi, CISSP
Senior Consultant – Information Security
NetSol Technologies Ltd.

AGENDA
 Programming Concepts
 Threats and Malware
 Software Protection
 Audit & Assurance Mechanisms
 Database Data Warehouse Environment
 Web Application Environment

Application vs. Operating System
 Project Management Controls
Complexity of Systems and Projects
Controls Built into Software

Generations of Programming
Languages
 Generation I – Machine Language
 Generation II – Assembly Language
 Generation III – High-level Language
 Generation IV – Very high-level Language
 Generation V – Natural Language

Programming Languages
 COBOL, Fortran
 C, C-Plus, C++
 SmallTalk, Java, Eiffel
 Visual Programming Languages
Visual Basic, Visual C, Delphi
 BASIC, Logo, JavaScript

HTML, XML and ActiveX
 HTML
 XML
 ActiveX

Program Utilities
 Assembler
 Compiler
 Interpreter

Programming Concepts
 System Model
 Von Neumann Architecture
 Object-Oriented Programming (OOP)
Inheritance
Polymorphism
Polyinstantiation

Programming Concepts (Cont…)
 Distributed Component Object Model (DCOM)
 Common Object Request Broker Architecture (CORBA)
Policy Enforcement Code
ORB Security System
1. Client Application
sends Message
3. Target Object
2. Policy Implemented
here

Threats & Malware
 Buffer Overflow
 Denial of Service
 Time of Check/Time of Use (TOC/TOU)

Threats & Malware (Cont…)
 Malformed Input Attacks
SQL Injection
Unicode Attack
 Executable Content/Mobile Code
Web Applets
Dynamic E-mail

 Object Reuse
 Garbage Collection
 Trap Door

 Incomplete Parameter Check and
Enforcement
 Covert Channels
 Inadequate Granularity of Controls
 Social Engineering
 Multiple Paths to Information

 Malicious Software
Modern malware is network aware
Compatibility Platform Dominance
Malware Functionality

Virus
 Reproduction – Central Characteristic
 Generally requires some action by the
user
May or may not carry payloads

Virus Types
 File Infector
 Boot Sector Infector
 System Infector
 Multipartite
 Macro Virus
 Script Virus
 Hoax

Virus Anti-Detection
 Stealth
 Tunneling
 Polymorphism
 Antivirus (anti-malware) Disabling

Virus Structure
 Infection/Reproduction
Target Search
Infection
Avoidance
 Trigger
 Payload

Worm
 Reproduces
 Generally use loopholes in systems
May not involve user
 Often attacks server software

Trojan Horse
 Purported to be a positive utility
 Hidden negative payload
 Social Engineering

Logic Bomb
 Generally Implanted by an Insider
 Waits for condition or time
 Triggers negative payload

Diddlers Backdoors and Rats
 Data Diddler
 Backdoor, Trapdoor
 RAT (Remote Access Trojan)

Threats & Malware
 D-DOS Zombie
 Prank
 Spyware and Adware
 Phishing
 BotNets

System Life Cycle
 Project Management-based Methodology
 Typical Phases of a System Life Cycle

System Life Cycle (Cont…)
 Project Initiation and Planning
Establish User
Requirements
Identify
Alternatives
Select/Approve
Approach
Determine
Security
Requirements
Conduct Risk
Analysis
Define Security
Strategy
Required Security Activities

 Functional Design Definition
Develop
Project
Plan
Identify
Functional
Requirements
Set
Test
Criteria
Identify
Security
Areas
Security
Tools
Include
Security
Reqs. in
RFP’s
Contracts
Define
Strategy
Develop
Functional
Baseline
Establish
Security
Requirements
Include
Functional
Security
Reqs.

 Detailed Design Specifications
Prepare
Detailed
Designs
Update
Testing Goals
and Plans
Develop
Formal
Baseline
Establish
Security
Specifications
Update Security
Test Plans
Document
Security
Baseline

 Develop & Document
Develop
System
Unit Testing &
Evaluation
Document
System
Develop
Security Code
Security Code
Evaluation
Document
Security Code

 Acceptance, Testing and Transition to Production
Test Validate Implement
Security
Components
Security
Code
Security
Controls
Document Certify
Security in
Integrated
System
Secure
Operations
Accept
Secure
System
Security
Components
Integrated
System
Project
Manuals
Security
Performance
Acceptance
Test
System

 Decommissioning / Disposal
Critical Data Recovered or Destroyed
Media sanitized or destroyed
Software removal

Software Development Methods
 Waterfall
 Spiral
 Clean-room
 Structured Programming Development

(Cont…)
 Iterative Development
 Joint Analysis Development (JAD)
 Prototyping
 Modified Prototype Model (MPM)
 Explanatory Model
 Rapid Application Development (RAD)

 Reuse Model
 Computer Aided Software Engineering
(CASE)
 Component Based Development
 Extreme Programming

Additional Software Protection
Mechanisms
 Cryptography
 Access Controls
 Open Source
 Social Engineering Awareness
 Backup and Redundancy Controls
 Malicious Code Control
 Documentation and Common Program Controls
 Testing and Evaluation
 Mobile Code Controls
 Data Containment Controls

Auditing and Assurance
Mechanisms
 Information Integrity
 Information Auditing
 Malware Assurance

Change Management Process
 Formal Request for Change
 Analyze Request for feasibility, Impact, timeline
(security)
 Develop Implementation Strategy
 Approval of Change
 Development of Change
 Implementation & testing of Change
 Review of Change Effectiveness
 Report to Management

Testing
 Last chance to avoid the disaster
 Testing is intended to find the problems
Tests should address all normal and
unexpected entries and conditions
 Do not compromise privacy with test data

Configuration Management
 Configuration Management
 Patch Management
 Patch Management Process

Patch Management
 Potential problem areas:
Distribution System Failures
Inadequate Testing & Validation
Patch Rollback
Load on the network
Stability issues and other regression issues

Database & Data
Warehouse Environment

Database Environment
 Database Management Systems
Databases – Developed to manage
Information from many sources in one
location
 Eliminates duplication of information
 Preserves storage space
 Prevents inconsistency in data by making changes
in one central location

Database Environment (Cont…)
 Major Elements
 DBMS Should provide
Transaction Persistence
Fault Tolerance and Recovery
Sharing by Multiple Users
Security Controls

DBMS Models
 Hierarchical DBMS
Stores Records in
a single Table
Parent/Child
Relationship
Limited to a single
tree
Difficult to link
branches
Car
Toyota Honda Suzuki
Citi Civic Accord
4-door 2-door

DBMS Models (Cont…)
 Network DBMS
Represents data as network of records and
sets that are related to each other, forming a
network of links
Record types – records of the same type
Set types – relationship between record types

Ford Mazda BMW
Regular
Mazda 6
Truck
ESeries
Regular
Mazda 3
4 x 4
x 3
Truck
Freestar
4 x 4
x 5
5 Speed
Transmission
Leather
Interior
Front & Rear
Climate Controls

 Relational DBMS
Most Frequently used DBMS model
Data are structured in tables
Columns represent the variables (attributes)
Rows contain the specific instances (records)
of data

Author Table
Author No. Last Name First Name State
123456 Smithson Mary CA
234567 Rogers Mike NY
345678 Tucker Sally CT
456789 Gleason Sarah IL
Tuples/
Rows
Attributes/ColumnsPrimary Key

Book Table
Book No. Book Title Book Type Book Price Author No.
B1234 Learning Databases Models Computer 1500
B2345 Data Modeling Techniques 1200 234567
B3456 Designing Databases Computer 1600 123456
B4567 Secrets of Databases Computer 1800 345678
Author Table
Author No. Last Name First Name State
123456 Smithson Mary CA
234567 Rogers Mike NY
345678 Tucker Sally CT
456789 Gleason Sarah IL
Primary Keys Foreign Key

 Relational Database Security Issues
Ensuring integrity of input data
Preventing deadlocking
 Access Control

 OODBMS & ORDBMS
OODBMS (Object Oriented Database
Management System)
ORDBMS (Object Relational Database
Management System)

Database Interface Language
 Open Database Connectivity (ODBC)
 Java Database Connectivity (JDBC)
 Extensible Markup Language (XML)
 Structured Query Language (SQL)

Database Security Issues
 Interface
 Aggregation
 Unauthorized
Access
 Improper
Modification of
Data
 Access Availability
 Query Attacks
 Bypass Attacks
 Interception of
Data
 Web Security
 Data Containment

View Based Access Controls
 Constrained Views
 Sensitive data is hidden from unauthorized
users
 Controls located in the front-end
application (user interface)

Data Warehouse
 Consolidated view of enterprise data
 Data Mart
 Designed to support decision making
through data mining

Building Data Warehouse
 Feed all data into large high security
database
 Normalize the data
 Mine the data for correlations to produce
metadata
 Sanitize and export the metadata to its
intended users

Metadata
 Information about data
 Provides unseen relationships between
data

Knowledge Discovery in Database
(KDD)
 Methods of Identifying
patterns in data
 Some KDD methods
use artificial
intelligence (AI)
techniques
 Probabilistic Models
 Statistical Approach
 Classification
Approach
 Deviation & Trend
Analysis
 Neural Networks
 Expert System
Approach

Online Transaction Processing
(OLTP)
 Record Transactions as they occur – in
real time
 Security concerns are concurrency and
atomicity
 Lock controls

Lock Controls – The ACID Test
 Atomicity
 Consistency
 Isolation
 Durability

Web Site Incidents
 Vandalism
 Financial Fraud
 Privileged Access
 Theft of Transaction Information
 Theft of Intellectual Property
 Denial of Service (DoS)

Web Hacks
 Majority of hacks at the application level
 Firewalls provide minimum protection
 Information Gathering
 Administrative Interfaces
 Configuration Management
 Authentication and Access Control

Web Hacks (Cont…)
 Input validation
 Parameter Manipulation
 Session Management

Web Application Security Principles
 Validate all input and output
 Fail Secure (closed)
 Fail Safe
 Make it simple
 Defense in depth
 Only as secure as your weakest link
 Security by obscurity

Web Application Security Principles
(Cont…)
 Don’t cache secure pages
 Ensure all encryption meets industry
standards
 Monitor third party code vendors for security
alerts
 Handle exceptions properly
 Don’t trust any data from client
 Don’t trust any data from other servers,
partners or other parts of the application

1. Databases are used to combine the data from
many sources into one discrete source which
of the following is not a reason to create a
database:
a. A database will eliminate the need for data
duplication across many systems
b. A database will preserve storage space
c. A database will prevent inconsistencies in the
data by eliminating multiple copies of data
d. A database will deter insider inference attacks

2. Database design models have changed over the
years which of the following models places the
data in tables where the rows represent
records and the columns represent attributes?
a. Hierarchical database management system
b. Relational database management system
c. Network database management system
d. Divergent database management system

3. relational database management systems are used to
show associations between objects contained in the
database. Which of the following best describe foreign
key?
a. A foreign key is used to uniquely identify each row in
the database
b. A foreign key is used to index a database
c. A foreign key is used to link elements of a table
d. A foreign key is used to join one table to the primery
key of another table

4. In a relational database which of the following is true
concerning a primary key?
a. A primary key must contain a common identifier
associated with all entries into a table
b. A primary key must contain a non-null value in order to
uniquely identify the tuple
c. Primary keys can be identified by their unique number
letter format
d. The use of primary keys is only required in network
database management systems, and does not apply to
RDBMS

5. Anne in the accounting department, and Bill in auditing
are both attempting to assess an identical value on the
accounts receivable database. Anne assesses the
amount normally, but Bill receives an error message
indicating that he has “read only” access. One possible
reason for the error message is that the database
management system (DBMS) has built-in features to
prevent which of the following?
a. Static access retrieval
b. Automated Queries
c. Inference attacks
d. Deadlocking

6. Which of the following database attacks
describes an attack where the perpetrator uses
information gained thru authorized activity to
reach conclusion relating to unauthorized
data?
a. Unauthorized access attack
b. Bypass attack
c. SQL attack
d. inference

7. Acme Corp. performs a nightly data transfer
from all their active databases to a centralized
server. The data is then normalized and the
central server is queried to gain performance
results for all sales locations. This activity
describes which of the followings?
a. Data warehouse
b. RDBMS
c. Data performance analysis
d. Metadata

8. A database that uses pre-defined grouping of
data that can only be accessed based upon a
user authorization level, uses which of the
following access control models?
a. Role based access control
b. Mandatory access control
c. View based access control
d. Front end delineated access control

9. An artificial intelligence system that gathers
information from subject matter experts and
attempts to use programmed rules to analyze
problems and suggest a recommended course
of action is called which of the following?
a. Classification approach
b. Probabilistic approach
c. Statistical approach
d. Expert system approach

10. After being closed for the weekend, on Monday
morning Acme Corp. finds that their servers are running
slow. The CPU utilizations are showing 100%
utilization. Network Traffic is also exceptionally high.
On the close of business on Friday, all systems were
behaving normal. Closer examination is likely to reveal
which of the following infestations?
a. Data Diddler
b. D-DOS Attack
c. Virus
d. Worm

11. A screen saver that opens an encrypted tunnel
to a website under malicious control with the
purpose of allowing attackers access to the
infected machine is an example of which of the
following malware?
a. Logic Bomb
b. Trojan Horse
c. Virtual Private Network
d. Spyware

12. One of the most significant differences
between the software development life cycle
and the system life cycle is that the software
development life cycle does not include which
of the following phases?
a. Decommissioning/Disposal
b. Startup/requirements
c. Development/construction
d. Operational testing

13. Which of the following is not a software
development method?
a. Iterative development
b. Joint Interactive
c. Computer Aided Software Engineering
d. Reuse model

14. One of the major difference between a software
compiler and a software interpreter is that:
a. A software compiler will translate lines of code on the
fly
b. An interpreter will translate lines of code on the fly
c. A software compiler will convert high level
programming language into assembly code
d. An interpreter will convert high level programming
language into assembly code

15. The primary key is used to uniquely identify records in a
database. By adding additional variables to the primary
key, two items with the same identifier can be
differentiated. This is often used to prevent inference
attack. Which of the following is best described by this
scenario?
a. Polymorphism
b. Poly-alphabetic
c. Polyinstantiation
d. Polyvariabolic

16. Common Object Request Broker Architecture
(CORBA) is designed to?
a. Control access to called object modules
b. Prevent objects in one class from affecting
objects in another class
c. Ensure that the calling objects use inheritance
properties properly
d. Determine access permissions for message-
passing operations

17. Applications can NOT use which of the
following methods to detect system
attacks?
a. Known Signature Scanning
b. Activity Monitoring
c. Change Detection
d. Differential Linear Analysis

18. Configuration management ensures that approved
changes are implemented as approved. Change
management ensures which of the following?
a. Corporate officers aware of all impending changes
b. Applicable regulatory compliance is adhered to.
c. Changes are submitted, approved and recorded
d. Configuration changes are assigned to the most
qualified individuals

19. Periodic vendor bug and vulnerability fixes
need to be installed by a patch management
system. These systems are limited in scope by
which of the following.
a. Network bandwidth
b. Version of the operating system under test
c. Limits on agent operation
d. Source code avilability

20. Accreditation and certification deal with similar security issues.
Which of the following statements is true about certification and
accreditation?
a. Accreditation is the technical analysis of a system to ensure that
specific security requirements are met
b. Certification is technical analysis of a system to ensure that
specific security requirements are met
c. Accreditation is the sign of by the IT staff that the system under
test meets manufacture’s security specifications
d. Certification is the sign of by the IT staff that the system under
test meets manufacture’s security specifications

21. XYZ corp. has created a new application
for tracking customer information as well
as their product database. Of the
following individuals who should be given
full access and control over this
application?
a. Network administrator
b. No one
c. Security administrator
d. Application developer

Application Security

More Related Content

What's hot

Viewers also liked

Similar to Application Security

More from Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master

Recently uploaded

In this document

Application Security