Please enable JavaScript.
Coggle requires JavaScript to display documents.
Cyber Security in the Development of Software Systems - Coggle Diagram
Cyber Security in the Development of Software Systems
7.1 Protection of the Development Environment
The development environment, where application code is created
Why Protect the Development Environment?
code - intellectual property (sale of application code)
attackers can review code for its vulnerabilities that can be used after its release
immediate access to sensitive data
ideal bases for internal and external attacks
Security Hygiene for Development Environments
security hygiene
:
network firewalls
least privilege for access (наименьшие привилегии для доступа)
security, application, and system log monitoring
rigorous security patching for operating systems and software
virus protection for each computer
7.2 Secure Development
it's vital to educate its application creators about security practices (since they do not routinely include secure programming techniques into code)
OWASP and the Top Ten Application Security Vulnerabilities
community based organization dedicated to improvement of application security
provides advice and education on code security
OWASP TOP TEN SECURITY RISKS...
Cross site scripting (XSS)
This type of exploit allows the remote attacker to update a web page with their own code
victim's browser executes the
unsanitized input
(ввод в код, из-за чего: sending messages to the victim; sending victims to another website; authentication credentials or hijack)
(both allow the attacker to remotely manipulate systems resources to their own ends)
Injection attacks
SQL language injection, command sending directly to database
delete info, add users to an app or a system, change stored info
remote login sessions and its exposing
(both allow the attacker to remotely manipulate systems resources to their own ends)
Broken authentication (broken access control)
includes any vulnerabilities that allow attackers to compromise identities
info is available to the wrong user
Using components with known vulnerabilities and security misconfiguration
default passwords
insecure code library
mismanaged storage permissions
нельзя допускать использование девелоперов компонентов с уже известными уязвимостями
XML External Entities (XEE)
XML (markup language) file is uploaded to a system, a processor may be exploit to request actions on the hosting server.
this attack provides contents of the file on the server
files and processes should be external (отделены) of the XML processor (Any program that can read and process XML documents is known as an XML processor)
Insecure deserialization vulnerabilities
the method of attack is to create a data stream that, when
reconstructed
, attempts to exploit the receiving information system or application
(объект раздроблен на несколько частей, которые передвигаются линейно по сети и
реконструироваться
в исходный объект на destination)
deserialisation include stream, which can me malicious
Types of Application Security Tools
both two types should be incorporated into a code development program
Static application security testing (SAST)
used early in the code lifecycle
as block of application code are completed, SAST can be run
checks indications of vulnerability in the code itself
Dynamic application security testing (DAST)
used when code has been deployed and is running
capable of testing without access to the application code itself
and they provide evidence of vulnerabilities by showing the output
7.3 Common Criteria
ISO standard three sections for free are public
evaluation of the objectives (цели) and implementation (реализация) of the security by auditors
vendor - поставщик безопастности
ISO/IEC 15408-1
overview of
the common criteria system and models protection profiles (PP)
overview of the evaluation process
ISO/IEC 15408-2
measurement of security components
defines different kind of security functionality (authentication, for example)
functional requirements of target of evaluation
mechanism to defend against threads
IN SIMPLE WORDS: defines what functionality security products may provide
ISO/IEC 15408-3
measurement for security assurance components
Evaluation Assurance Levels (EAL):
from AL1 “functionally tested” to EAL7 “formally verified design and tested”
IN SIMPLE WORDS: defines how well this functionality is implemented
Criticism
infrastructure, operations, or administration that are not in scope of Common Criteria, those items will be set by organization
costumer should routinely examine vendor's product the compliance with performance and assurance standards
customer must review the
audit scope
(all objects and processes that are examined in the audit)
TEST:
Which vulnerability allows an attacker to send mobile code to the victim’s web browser? cross site-scripting (XSS)
What type of vulnerability grants too much access to authenticated application users? broken access control
What do the OWASP Top Ten vulnerabilities have in common?
Security experts agree these are the most dangerous types of vulnerabilities.
What does Common Criteria measure? security product adherence to their functional and assurance requirements
Which of these is a requirement for security hygiene in the development environment?