CS-239 Software Security Engineering

Common Security Properties

Confidentiality, Privacy, Integrity, Availability, Access Controls, Authentication and Authorisation

Security Property: Confidentiality

Preventing unauthorised disclosure of information

Security Property: Privacy

Protection of personal data

Security Property: Integrity

Prevent unauthorised modification of information or service

Security Property: Availability

Prevent unauthorised withholding of information or service

Security Property: Access controls

Prevent unauthorised access to data or resources

Security Property: Authentication

Prevent users from falsifying their identity

Security Property: Authorisation

Prevent users from violating their privileges

Security Through The Development Cycle

Requirements & Use Cases

Requirements & Use Cases Sections

Abuse Cases

Design Sections

Risk Analysis

Test Plan Section

Risk-based Security Tests

Code Section

Static Analysis

Test Results

Risk Analysis

Field Feedback

Security Breaks

Key Attributes to Characterise Threats

Elapsed Time

Threat Characterisation: Elapsed Time

Time taken to identify & exploit vulnerability; longer = threat vanishes

Threat Characterisation: Specialist Knowledge Required

Technical expertise needed (Layman

Threat Characterisation: Knowledge of Target

Design & operational knowledge (Public

Threat Characterisation: Window of Opportunity

Level of access and time window (Unlimited

Threat Characterisation: Equipment and Resources Needed

Hardware/software required (Standard

Threat Analysis: Impact Rating Categories

Safety

Risk-Based Approach to Cybersecurity Requirements

Threat Analysis

Threat Analysis Components

Asset identification

Risk Assessment Components

Impact Rating

What is TARA?

Threat Analysis & Risk Assessment

TARA Steps

Asset Identification

TARA Pre-requisites

Item Boundary

Asset Identification - WHAT

WHO

Threat Modelling - WHERE

WHEN

What is an asset?

Object that has value or contributes to value

What is a cybersecurity property?

An attribute of an asset that is worth protecting

What is a damage scenario?

An adverse consequence due to some attack

What is a threat scenario?

A potential cause of compromise that may lead to damage

Threat Modelling - STRIDE

Spoofing

STRIDE - Spoofing

A person or entity masquerading as another

STRIDE - Tampering

Insertion

STRIDE - Repudiation

An entity denying responsibility for an action

STRIDE - Information Disclosure

Provision or leak of info to unauthorised entity

STRIDE - Denial of Service

Making resource unavailable to authorised entities

STRIDE - Elevation of Privilege

An entity gains greater authorisation than permitted

STRIDE AREAS FOR DIFFERENT DFD ELEMENTS

Processes - STRIDE

Attack Paths

Actions taken to realise a threat scenario

Impact Rating Categories

Safety

Impact Rating Severity

Severe

Risk Treatment Options

Avoid (redesign)

What is Software Testing?

Evaluation against functional or non-functional requirements

What is connectivity?

Cloud computing

What is a vulnerability?

A weakness exploitable by 1+ threats

What is security testing?

Software evaluation against Security Requirements

Types of Software Testing

Static testing & Dynamic Testing

What is Static Software Testing?

Reviewing artifacts without execution (manual/code)

What is Dynamic Software Testing?

Execution & verification of software via test cases

Security Testing Purposes: Functional

Validating all intended security functionality

Security Testing Purposes: Vulnerability

Identifying unintended vulnerabilities via malicious/unexpected input

Exploitation

Malicious input/steps to exploit a vulnerability

Attack

Performing exploitation to violate security property

What are security testers?

People simulating hackers to exploit system vulnerabilities

Model-based Security Testing

Auto & systematic test case generation from system/environment models

Benefits of model-based security testing

Early review

Input models for model-based testing

Attacker models

Testing Attacker Models

Attacker’s targets

Testing Vulnerability Models

Encoding weaknesses in system models

Testing Properties Models

Encoding asset security properties to protect

Abstract Test Cases (ATCs)

Sequence of attack actions

If all attack actions succeed

Successful Attack

If one or more attack actions fail

Failed Attack

ATC passes if…

Execution is not successful

Code-Based Security Testing (CBST)

Detecting vulnerabilities via source code

Manual Code Review

Expert reviewing source code line-by-line

Expertise Needed for Code Review

Architecture

SAST

Static Application Security Testing

SAST Analysis

Syntactic (e.g. insecure APIs)

Penetration Testing

Simulated real-world attacks using real tools & techniques

Pros of Pen-Testing

System tolerance

Cons of Pen-Testing

Labour intensive

Fuzz Testing

Stress system with unexpected inputs via interfaces

Fuzz Testing Techniques

Random

Phases of a vulnerability

Zero-day

Vulnerability Management Options

Full Disclosure

Full Disclosure

Public release – incentivises patch but may enable attackers

Non-Disclosure

No info to public – risky if consumers unprepared

Partial Disclosure

Shared with key stakeholders to prepare before public release