The document outlines the topics covered in a course on secure software development. It discusses secure software concepts, requirements, design, implementation, testing, deployment and maintenance. It also covers standards, methodologies, regulations and cryptography relevant to developing secure software.

1. ©Copyrights 2013-2016 by Masoud Ostad
CSSLP by (ISC)2
Course
©2013-2016 DESIGN AND DEVELOPMENT BY
MASOUD OSTAD
VERSION 1.5 BETA
1

2. ©Copyrights 2013-2016 by Masoud Ostad
Course Outline
 Secure Software Concepts
 Secure Software Requirements
 Secure Software Design Note
 Secure Software Implementation and Coding Note
 Secure Software Testing
 Software Deployment, Operations, Maintenance and
Disposal
 *This color module in next version or refer to Application
Reverse Engineering Presentation
2

3. ©Copyrights 2013-2016 by Masoud Ostad
3

4. ©Copyrights 2013-2016 by Masoud Ostad
 While there is no indication that other organizations in this space are addressing
the knowledge areas in the same manner as the CSSLP, the following are
addressing software development and/or security in the software lifecycle:
 IEEE: CSDA and CSDP (Software Development)
 SANS: GSSP-C, GSSP-J (Language specific secure coding)
 ISSECO: CSSE (Entry level education program with certificate of completion)
 DHS: Software Assurance Initiative (Awareness Program/Forum)
 Vendor-Specific: Sun Microsystems SCJP, Microsoft MCSD, Symantec -
based on internal lifecycle process or technology specific
Key Players

5. ©Copyrights 2013-2016 by Masoud Ostad
CSSLP
(ISC)²
Professional Certification
Program
CSDA
(IEEE)
Associate Level
Status
CSDP
(IEEE)
Professional
Certification Program
GSSP-C
(SANS)
Software Coder
Certification Program
GSSP-J
(SANS)
Software Coder
Certification Program
Software
Assurance
Initiative
(DHS)
Awareness Effort
CSSE
(ISSECO)
Entry-level
Education
Program
Certificate of
Completion
Vendor-
Specific
Credentials
Our Course Overlap with Other Certification

6. ©Copyrights 2013-2016 by Masoud Ostad
Secure Software Concepts
Core Concepts of Secure Software
Security Design Principles
Privacy
Governance, Risk, and Compliance
(GRC)
Software Development Methodologies
6

7. ©Copyrights 2013-2016 by Masoud Ostad
Holistic Security 7

8. ©Copyrights 2013-2016 by Masoud Ostad
Holistic Security Challenge
Iron Triangle
Constraints
Security as an
Afterthought
Security Versus
Usability
8

9. ©Copyrights 2013-2016 by Masoud Ostad
Iron Triangle Constraints
Scope
Schedule Budget
9

10. ©Copyrights 2013-2016 by Masoud Ostad
Relative Cost of Software Defects 10

11. ©Copyrights 2013-2016 by Masoud Ostad
TQM
 Security is not separate of Product Quality
 Before release or developed you should be test
product
 Code structure test
 Feature test
 Function test
 Logical Test
 Match with ISO standard
 For example ITIL like 6Sigma
11

12. ©Copyrights 2013-2016 by Masoud Ostad
Security Profile Model 12

13. ©Copyrights 2013-2016 by Masoud Ostad
Security Profile Detail
 Authentication
The identifying information provided in this mechanism
for validation is something that you own or have
 Knowledge
 Provide a Mechanism for valid Identity like : UN/PW or Passphrase
or PIN
 Ownership
 Provide a Mechanism for valid Specify Identity like Token or Smart
Card
 Characteristic
 Provide a Mechanism for valid Specify Identity mix with Biometric
Method like Fingerprint , Blood ,Retina , Face and Voice
13

14. ©Copyrights 2013-2016 by Masoud Ostad
Security Profile Detail
 Authorization
 its top of layer of security concern or upper authentication
 This method shown area of access or number of access
 For detect material of user like human or not
 With Authorization can manage an Object or target
 For example in Database use (CRUD Concept)
 Availability
 BCP
 SLA
14

15. ©Copyrights 2013-2016 by Masoud Ostad
Security Profile Detail
 Accountability and Non-repudiation
 Auditing is the security concept in which privileged and critical
businesses transactions are logged and tracked.
 For example an online shopping store view by Customer or Developer
 At a bare minimum, audit fields which include who (the subject which may
be a user or process) did what (operations such as create, read, update,
delete etc.), where (the object on which the operation is performed such as
a file or table) and when (timestamp of the operation) along with a before
and after snapshot of the information that was changed must be logged for
all administrative (privilege) or critical transactions as defined by the business.
 Never overwrite new log on old log
 Non-repudiation addresses the deniability of actions taken by either a
user or the software on behalf of the user.
 In Iran Like National Code Validation or NCV
15

16. ©Copyrights 2013-2016 by Masoud Ostad
Risk Management Standard
 National Institute of Standards and Technology deploy SP800-64
 Systems Development Life Cycle or SDLC
 CSSLP must be familiar with are covered in this section
 Some of the definitions used in this section are from NIST Risk
Management Guide to Information Technology Systems special
publication 800-30 (SP 800-30).
 In the next page explain terminology
16

17. ©Copyrights 2013-2016 by Masoud Ostad
Standard Terminology 17
Asset
Vulnerability
Threat Protection
Attack
Probability Impact
Exposure
Factor
Control

18. ©Copyrights 2013-2016 by Masoud Ostad
Type of Security Standard 18
Standards
Internal
e.g. Coding Standards
External
Industry
e.g. PCI-DSS
Government
e.g. NIST Standard
International
e.g. ISO Series
National
e.g. FIPS

19. ©Copyrights 2013-2016 by Masoud Ostad
SP 800-30: Risk Management Guide
for IT for Example
19

20. ©Copyrights 2013-2016 by Masoud Ostad
Federal Information Processing
(FIPS) standards for Example
 Some of the well-known FIPS publications that
are closely related to software security are
 FIPS 140: Security Requirement for Cryptographic
Modules
 FIPS 186: Digital Signature Standard
 FIPS 197: Advanced Encryption Standard
20

21. ©Copyrights 2013-2016 by Masoud Ostad
ISO/IEC 15408-1:2005 EAL for
Example
21

22. ©Copyrights 2013-2016 by Masoud Ostad
Software Development
Methodologies
Waterfall model
Iterative model
Spiral model
22

23. ©Copyrights 2013-2016 by Masoud Ostad
Waterfall Model
Requirement
Design
Implementation
Verification
Maintenance
23

24. ©Copyrights 2013-2016 by Masoud Ostad
Iterative Model for Small Project 24

25. ©Copyrights 2013-2016 by Masoud Ostad
Spiral Model (Mix Model) 25

26. ©Copyrights 2013-2016 by Masoud Ostad
Regulations, Privacy and
Compliance
Gramm-Leach-Bliley Act (GLB Act)
Health Insurance Portability and
Accountability Act (HIPAA)
State Security Breach Laws
Or Privacy Terms
26

27. ©Copyrights 2013-2016 by Masoud Ostad
Trust Computing Security Model 27
Ring0
OS Kernel
Ring1
IO Utilities
Ring2
Drivers
Ring3
User Application

28. ©Copyrights 2013-2016 by Masoud Ostad
28

29. ©Copyrights 2013-2016 by Masoud Ostad
Security Requirement Essential 29

30. ©Copyrights 2013-2016 by Masoud Ostad
Availability Requirement
 MTD : Maximum Tolerable Downtime
 RTO : Recovery Time Object
 BIA : Business Impact Analyst
30

31. ©Copyrights 2013-2016 by Masoud Ostad
Additional Security Requirement 31

32. ©Copyrights 2013-2016 by Masoud Ostad
Confidentiality Requirement 32

33. ©Copyrights 2013-2016 by Masoud Ostad
Masking Confidentiality Method
Masking
Method
In Transit
In Processing
In Storage
33

34. ©Copyrights 2013-2016 by Masoud Ostad
Type of Access Control Model
ACM
Discretionar
y Access
Control
(DAC)
Non-
Discretionar
y Access
Control
(NDAC)
Mandatory
Access
Control
(MAC)
Role-Based
Access
Control
(RBAC)
Resource-
Based
Access
Control
34
• DAC on Object
• NDAC on User
• MAC on User mapping Object
• RBAC make Role and assign
role to User
• Use Role and Group Role
• REBAC on Resource of System

35. ©Copyrights 2013-2016 by Masoud Ostad
Protection Needs Elicitation (PNE)
 PNE begins with the discovery of assets that need
to be protected from unauthorized access and
users.
 Some standard force to used this concept like
 The Information Assurance Technical Framework (IATF)
 The United States National Security Agency (NSA)
 The Information Systems Security Engineering (ISSE)
35

36. ©Copyrights 2013-2016 by Masoud Ostad
Protection Needs Elicitation (PNE)
Techniques
36

37. ©Copyrights 2013-2016 by Masoud Ostad
Policy Decomposition 37

38. ©Copyrights 2013-2016 by Masoud Ostad
38

39. ©Copyrights 2013-2016 by Masoud Ostad
Type of Cryptography 39

40. ©Copyrights 2013-2016 by Masoud Ostad
Symmetric Algorithm 40

41. ©Copyrights 2013-2016 by Masoud Ostad
Asymmetric Algorithm Method 41

42. ©Copyrights 2013-2016 by Masoud Ostad
Digital Certificate Component 42

43. ©Copyrights 2013-2016 by Masoud Ostad
Data Integrity using Hash Functions 43

44. ©Copyrights 2013-2016 by Masoud Ostad
Unsalted Hash 44

45. ©Copyrights 2013-2016 by Masoud Ostad
Salted Hash 45

46. ©Copyrights 2013-2016 by Masoud Ostad
Recreational Integrity or RDBMS 46

47. ©Copyrights 2013-2016 by Masoud Ostad
Availability Design
Replication
Replication usually follows
a master-slave or primary-
secondary backup
scheme in which there is
one master or primary
node and dates are
propagated to the slaves
or secondary node either
actively or passively.
Fail Over
In computing, failover
refers to the automatic
switching from an active
transactional software,
server, system, hardware
component or network to
standby (or redundant)
system.
47

48. ©Copyrights 2013-2016 by Masoud Ostad
Other Design Considerations
User
Interface
Application
Programming
Interfaces
Security
Management
Interfaces
Out-of-Band
Interface
Log
Interfaces
48

49. ©Copyrights 2013-2016 by Masoud Ostad
Type of Malware 49
Malware
Proliferative
Virus
Worm
Stealth ware
Spyware
Adware
Trojan
Rootkit
Ransomware

50. ©Copyrights 2013-2016 by Masoud Ostad
Cloud Model
50

51. ©Copyrights 2013-2016 by Masoud Ostad
Type of Cloud 51

52. ©Copyrights 2013-2016 by Masoud Ostad
Mobile Architecture 52

53. ©Copyrights 2013-2016 by Masoud Ostad
53

54. ©Copyrights 2013-2016 by Masoud Ostad
Programming Language 54

55. ©Copyrights 2013-2016 by Masoud Ostad
Compile and Linking 55

56. ©Copyrights 2013-2016 by Masoud Ostad
List of Organization for application
bug track and security advisory
 The National Vulnerability Database (NVD)
 Common Vulnerabilities and Exposures (CVE)
 Common Weakness Enumeration (CWE™)
 OWASP Top 10
 Open Source Vulnerability Database
 US Computer Emergency Response Team (CERT)
Vulnerability Notes Database
56

57. ©Copyrights 2013-2016 by Masoud Ostad
Man-in-The Middle 57

58. ©Copyrights 2013-2016 by Masoud Ostad
Man-in-The Middle is E2E Solution 58

59. ©Copyrights 2013-2016 by Masoud Ostad
Electronic Social Engineering
Phishing Pharming
Vishing SMSishing
ESE
59

60. ©Copyrights 2013-2016 by Masoud Ostad
Secure Software Processes
Versioning(CM)
Code Analysis(Syntax)(Automatic)
Code/Peer
review(Logic)(Manual)
60

61. ©Copyrights 2013-2016 by Masoud Ostad
Acquisition Lifecycle phases 61

62. ©Copyrights 2013-2016 by Masoud Ostad
62
©Copyright 2013-2016 by Masoud Ostad