CNIT 271 — Software Security

CWE/SANS Top 25 Most Dangerous Software Errors categorizes security vulnerabilities resulting from poor programming in what 3 categories?

• Insecure interaction between components

• Risky resource management

• Porous defenses

Software Error Category: Insecure Interaction Between Components

— SQL injection

— OS command injection

— cross-site scripting

— unrestricted file upload with dangerous type

— CSRF

— URL redirect to untrusted site

Software Error Category: Risky Resource Management

— classic buffer overflow

— path traversal

— download code without integrity check

— inclusion of functionality from untrusted function

— use of potentially dangerous function

— incorrect calculation of buffer size

— uncontrolled format string

— integer overflow or wraparound

Software Error Category: Porous Defenses

• Missing Authentication for Critical Function

• Missing Authorization

• Use of Hard-coded Credentials

• Missing Encryption of Sensitive Data

• Reliance on Untrusted Inputs in a Security Decision

• Execution with Unnecessary Privileges

• Incorrect Authorization

• Incorrect Permission Assignment for Critical Resource

• Use of a Broken or Risky Cryptographic Algorithm

• Improper Restriction of Excessive Authentication Attempts

• Use of a One-Way Hash without a Salt

Critical Web application security flaws

include five related to insecure software

code:

• Unvalidated input

• Cross-site scripting

• Buffer overflow

• Injection flaws

• Improper error handling

The NIST report _____________ presents a range of approaches to reduce the number of software vulnerabilities

NISTIR 8151

________________ is designing and implementing software so that it continues to function

even when under attack

defensive programming / secure programming

What is the key rule in defensive programming?

Key rule is to never assume anything, check all assumptions and handle any possible error states

TRUE/FALSE

Assumptions need to be validated by the program and all potential failures handled gracefully and safely

TRUE

What is the software development lifecycle (SDLC)?

1. Project initiation and planning

2. Functional requirements and definition

3. System design specification

4. Build (develop) and document

5. Acceptance testing

6. Implementation (transition to

production)

7. Operations and maintenance

8. Disposal

What is the waterfall development cycle?

• Requirement Gathering and analysis: gather

all the software requirements and document in

a requirement specification document

• System Design: hardware specification and

system design, define a overall system

architecture

• Implementation: divide units of program based

on functionality and unit testing

• Integration and Testing: integrate all the units

and test entire system for faults and failures

• Deployment of system: once all the testing is

successfully completed for functional and nonfunctional requirements, then the software is

deployed and released

• Maintenance: keep track of issues, and

develop patches to fix them, new versions may

be developed and released

______________ is based on small project iterations, or sprints, for developing the software instead of long project schedules

Agile development cycle

TRUE/FALSE

Organizations that use Agile produce smaller deliverables more frequently and evaluate a large project in terms of its individual pieces are they are completed

TRUE

How long are sprints generally?

1-4 weeks

Who develops publications outlining industry best practices for software assurance and providing practical advice for implementing proven methods for secure software development?

Software Assurance Forum for Excellence in Code (SAFECode)

TRUE/FALSE

Explicitly validate assumptions on size and type of values before use

TRUE

TRUE/FALSE

Safe coding treats all input as safe

FALSE

Safe coding treats all input as dangerous

___________________ bug is a recent example of a failure to check the validity of a binary input value

2014 Heartbleed OpenSSL

What does injection attacks most often occur in?

scripting languages

What is a cross site scripting (XSS) attack?

Attacks where input provided by one user is subsequently output to another user

What is the XSS reflection vulnerability?

Attacker includes the malicious script content in data supplied to a site

What allows attackers to bypass authentication?

SQL injection

What are the attacks of SQL injection?

— authentication bypass

— info disclosure

— compromised availability of data

— remote command execution

— interaction with OS

What are some countermeasures for SQL injection?

— secure software development

— input validation and sanitization

What is transforming input data into a single, standard, minimal representation?

canonicalization

What is the software testing technique that uses randomly generated data as inputs to a program?

input fuzzing

What are some issues of dynamic memory allocation?

• Unknown amounts of data

• Allocated when needed, released when done

• Used to manipulate Memory leak

• Steady reduction in memory available on the heap to the point where it is completely

exhausted

A ________________ vulnerability occurs when an application has access to the same shared data and attempts to change variables within it simultaneously

race condition

TRUE/FALSE

Applications can become vulnerable to race conditions if they interact with other applications that use parallel processing or multiple threads.

TRUE

What are some key examples of race condition vulnerabilities?

• Juniper (CVE-2020-1667)

• Wind River (CVE-2019-12263)

• TIBCO (CVE-2018-18808)

• Metinfo (CVE-2018-18808)

• Datagram (CVE-2022-20795)

• Meltdown (CVE-2017-5754)

What occurs when processes or threads wait on a resource held by the other?

deadlock

one or more programs has to be terminidated

Process must create and own the ___________ in order to gain access to the shared resource

lockfile

What are the following processes?

• Correct algorithm implementation

• Ensuring that machine language

corresponds to algorithm

• Correct interpretation of data values

• Correct use of memory

• Preventing race conditions with shared

memory

writing safe program code

What does handling program input consist of?

• Input size and buffer overflow

• Interpretation of program input

• Validating input syntax

• Input fuzzing

What does interacting with the OS and other programs consist of?

• Environment variables

• Using appropriate, least privileges

• Systems calls and standard library functions

• Preventing race conditions with shared system

resources

• Safe temporary file use

• Interacting with other programs