What does Confidentiality assure?
Assures that only authorized individuals are able to view information.
What does Availability assure?
Assures that the data or the systems, are available for the authorized user when required.
What does Integrity assure?
Assures that only authorized individuals are able to change information.
List the two CIA extension
Non-repudiation (assures non-denial of communication) and Authenticity (assures the identity of the communicating party.)
Define vulnerability
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
Define threat
Any situation with the potential to adversely impact organizational operations and assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
What is Applications Security?
Measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
List the Secure Design Considerations
** Least Privilege*
– Allow each user/process minimum privileges to do their work.
** Separation of Duties*
– Assign different people as programmer and code reviewer.
** Defense in Depth*
– Design software that will not break down even if one security mechanism has been broken(redundant).
** Fail Secure*
– Design your program to recover or terminate safely upon
any form of failure.
** Psychological Acceptability*
– Security protection mechanism should be easy to use.
Example of a Secure Design Processes
Threat Modelling is to systematically identify and rate the threats that are most likely to affect your system.
Threat Modeling Steps
- Defining security requirements
- Creating an application diagram
- Identify the threats (STRIDE)
- Mitigating threats
- Validating that the threats have been mitigated
List some of the Common Software Vulnerabilities
– Buffer overflows
– Unvalidated input
– Race conditions
– Access-control problems
– Weaknesses in authentication, authorization, or cryptographic implementations
List some examples of Defensive Coding Practices
- Attack Surface Evaluation and Reduction
- Input Validation
- Canonicalization
- Use of Recommended Cryptographic Algorithms
- Exception Management
Secure Software Processes (during Implementation)
** Version Control*
– When code is checked out by someone for changes, no one else can make changes to the code until it has been checked in
** Code Analysis*
– Inspecting code for exploitable weaknesses
– Static Code Analysis: inspection without code execution (e.g. Fortify)
– Dynamic Code Analysis: inspection during code execution (e.g.BoundsChecker)
** Code/Peer Review*
– Inspecting for insecure code and inefficient code
List Secure Software Testing
- Threat modeling
- Automated tools
- Manual source code analysis and review
- Brute force testing (e.g. fuzzing)
- Penetration testing
Microsoft SDL Practices
- Provide Training
- Define Security Requirements
- Define Metrics and Compliance Reporting
- Perform Threat Modeling
- Establish Design Requirements
- Define and Use Cryptography Standards
- Manage the Security Risk of Using Third-Party
Components - Use Approved Tools
- Perform Static Analysis Security Testing (SAST)
- Perform Dynamic Analysis Security Testing (DAST)
- Perform Penetration Testing
- Establish a Standard Incident Response Process
The Software Assurance Maturity Model (SAMM)
- Flexible open framework to meet different risks and sizes of organization
- Four critical Business Functions
- Three Security Practices per Business functions
- Three maturity levels for each of the twelve security practices
OWASP Proactive Controls
C1 Define Security Requirements
C2 Leverage Security Frameworks and Libraries
C3 Secure Database Access
C4 Encode and Escape Data
C5 Validate All Inputs
C6 Implement Digital Identity
C7 Enforce Access Controls
C8 Protect Data Everywhere
C9 Implement Security Logging and Monitoring
C10 Handle All Errors and Exceptions
