Data Breach
A confirmed incident in which sensitive, confidential, or otherwise protected data has been accessed or disclosed in an unauthorized fashion.
ex: PHI (personal health information), PII (personally identifiable information), trade secrets, intellectual property
Security Concepts (AKA CIA Triad) (SC)
From top, right, left:
- Confidentiality: data is secured to authorized parties only
- Integrity: data is trusted
- Availability: data is accessible when and where needed
From left, right, bottom:
- Authenticity: components can prove their identity
- Non-repudiation: service provides a trusted audit trail
- Privacy: services does not automatically see customer data
[SC] Authentication vs Authorization
- Authentication (1st): verifies who you are
- Authorization (2nd): decides if you have permissions to access a resource
Top 10 Security Principles
- authenticate requests received on a network port
- follow principle of least privilege
- encrypt all credentials
- test by abusing
- assume no one else will secure it; validate it
- hard code no passwords, user ids, etc
- avoid security by obscurity/keep security simple
- understand 3rd party components
- EVERYONE IS RESPONSIBLE FOR SECURITY
Security w/in an SDLC (S in SDLC)
Software security best practices involve explicitly thinking about the security situations throughout the SDLC.
- know and understand common risks
- design for security
- all software artifacts subject to thorough, objective risk analysis and testing
- security should be its own set of requirements for the app
[Security Terms] Vulnerability
A weakness (in an information system, security system procedure, or implementation) that could be exploited/triggered.
[Security Terms] Threat
A potential violation or security which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.
[Security Terms] Threat Agent
An individual or group which can manifest a threat.
[Security Terms] Asset
A major app, general support system, high impact project, physical plant, mission critical system, personnel, equipment, or a logically related group of systems.
[Security Terms] Risk
(level of threat) * (level of vulnerability). Likelihood of a successful attack.
[Security Terms] Countermeasure
Reactive methods use to prevent an exploit from successfully occurring once a threat has been detected.
ex: IPS (intrusion prevention systems), patches, access control lists, malware filters
[Security Terms] Security Model
- Owners value ASSETS
- Owners wish to minimize RISK to ASSETS
- Owners impose COUNTERMEASURES to reduce RISK to ASSETS
- Owners impose COUNTERMEASURES that may possess VULNERABILITIES leading to RISK to ASSETS
- Threat agents wish to abuse and/or damage ASSETS
- Threat agents give rise to THREATS to ASSETS
- Threat agents give rise to THREATS that exploit VULNERABILITIES leading to RISK to assets
- Threat agents give risk to THREATS that increase RISK to ASSETS
Application Threat Modeling [ATM]
An structured approach for analyzing the security of an application that enables you to identify, quantify, and address the security risks with an application.
[ATM] Process
1) Identify Assets
2) Create an Architecture Overview
3) Decompose the Application
4) Identify the Threats
5) Document the Threats
6) Rate the Threats
Security Design Practices
- earn/give, but never assume, trust
- authentication mechanism that can’t be bypassed/tampered with
- authorize after you authenticate
- explicitly validate ALL data (client-side and server-side)
- external 3rd party components change your attack surface
Security Testing [ST]
A type of software testing that intends to uncover vulnerabilities of the system and determine that its data and resources are protected from intruders.
[ST] of an Application Component (AST)
- Network
- System Software
- Client-side
- Server-side
[AST] Static vs Dynamic
STATIC
- White box
- Analyzes source code of binaries
- Covers all execution paths
- Finds vulnerabilities early in SDLC (analysis/design/coding phases)
DYNAMIC
- Black box
- Requires running application
- Testing with pre-defined test data sets
- Finds vulnerabilities later in SDLC (integration/systems phases)
[AST] Coverage
STATIC (N.I.C.T)
- null pointer dereference
- insecure crypto issues
- code quality issues
- threading issues
DYNAMIC (B.A.R.S)
- business logic vulnerabilities
- authentication issues
- runtime privilege issues
- session management issues
BOTH (S.X.X.L.H.B)
- SQL Injection
- XSS Injection
- XPATH injection
- LDAP injection
- HTTPS Responses Splitting
- Buffer Overflows
[ST] Principles
- think strategically, not tactically (patch and penetrate model w/out proper investigation of the root cause is ineffective)
- integrate security into each phase of the S.D.L.C.
- test early and test often
- think outside the box
[ST] Techniques
- manual inspections and reviews
- threat modeling
(helps system designers to think about the security threats that their sys/app faces)
(enables designer to develop mitigation strategies for potential vulnerabilities) - code review
- penetration testing: remotely testing an app to find vulnerabilities without knowing apps inner workings
