CISSP - Domain Eight

Software Security Terms

• SDS (Software Defined Security): Security functions moved from hardware, to software. Policy driven and managed

• CASE: Computer Aided Software Engineering. Categories include Tools, Workbenches and Environments

Programming Concepts

• Machine Code: Softwre executed directly by the CPU

• Source Code: Human understandable text translated into machine code

• Assembler Language: Short mnemonics matched to full length binary machine code

• Compiler Languages: Translates higher level languages into machine code

• Interpreted Languages: Compiles code at run time (interpreter), rather than being compiled at build time

• Top Down Programming: Starts with design, then breaks down to technical segments (often procedural)

• Bottom Up Programming: Pieces together systems to build more complex system (often OOP)

Language Generations

• 1st: Machine Code

• 2nd: Assembler Language

• 3rd: C, C++ etc...

• 4th: ABAP, SQL, Unix Shell (GUI builders, apparently), Perl, PHP, ColdFusion

• 5th: Prolog, OPS5, Mercury

Software Licenses

• GNU/GPL: Copyleft license, users can run, study, share and modify

• BSD (Berkley): Permissive free software licenses with minimal restrictions on use and distribution. Not copy-left (no share-alike provisions)

• Apache: Requires free distribution and modification, with preservation of copyright notice and disclaimer

Software Development Lifecycle

• Planning

• Analysis

• Design (incorporates security controls)

• Implementation

• Testing/integration

• Maintenance

Software Development Methodologies

• Waterfall: Linear, phases to next and cannot go backwards

• Sashimi: Still linear, but two phases always overlap. Allows us to go back one phase

• Agile (Flow): Adaptive planning, evolutionary dev, early delivery, continuous improvement, rapid/flexible response

Agile

• Individuals/interactions are more important than tools

• Working software more important than documentation

• Customer collaboration more important than contract negotiation

• Responding to change more important than following a plan

Agile Manifesto

1. Customer satisfaction by early/continuous delivery

2. Welcome Changing requirements

3. Working software is delivered frequently

4. Close, daily co-operation between business and devs

5. Projects built around motivated, trusted individuals

6. Face to Face converstations best (co-location)

7. Working software is the primary measure of progress

8. Sustainable development (constant pace)

9. Attention to technical excellence and good design

10. Simplicity (maximize the amount of work NOT done)

11. Best designs emerge from self-organized teams

12. Regularly relfect on how to become more effective

Agile Terms

• Scrum: Framework for managing software development, teams of 10, 2 week dev cycles

• Product Owner: Scrum Role, 'customer voice'

• Development Team: Developers

• Scrum Master: Project Manager, acts as buffer between team and customer

• XP (Extreme Programming): Intended to improve software quality, advocates frequent releases and short dev cycles. Uses Programmable Pairs (Two users, one workstation)

• SAFe (Scaled Agile Frameworks): Involves incorporating multiple teams (often multiple projects) to scale Agile out

Spiral Model Phases

• Planning

• Risk Analysis

• Engineering

• Evaluation

Project repeatedly passes through these phases, building on the previous (hence the spiral)

RAD (Rapid Application Development)

• Prototypes used in addition to (or sometimes replace) design specs

• Suited for software which is driven by UI requirements

RAD Prototyping

• Breaks projects into smaller tasks, creating multiple prototypes

• Working models of limited functionality, rather than full product up front

• High level of customer involvement

SDLC Phases

• Investigation

• Analysis

• Design

• Build

• Test

• Implement

• Maintenance/Support

Security is built in to each phase

SDLC Terms

• Project: A temporary endeavour with finite start and end, creating an outcome

• Program: Collection of related projects, though also has a finite duration

• Portfolio: Collection of projects and/or programs grouped to achieve a strategic objective

• IPT (Integrated Product Team): Multi-disciplinary group responsible for delivering a product

• Source Code Escrow: When a third party holds a copy of the source code, to release to the licensee if the developer fails contract obligations

SDLC Change Management

• CM (Configuration Management) Plan: Description of Roles, responsibilities, policies and procedures when managing configuration. Parts include:

  • Configuration/Change Control Board (CCB) - Charter group who approve changes

  • Config item identification

  • Change Control process

  • Configuration Monitoring

Relational Databases

Each database has a unique key, which is used to union tables.

There is a parent database which acts as the unique 'lookup' or master DB. Child databases use the Foreign key (exists outside of the DB) to look up values

Normalization: cleans up the DB tables to make it more organized/consise, improving speed and integrity

Relational Database Integrity Checks

• Referential Integrity: Check Foreign keys in tables match primary key in parent tables

• Semantic Integrity: Each value is of the correct data type

• Entity Integrity: Each row has a unique primary value

• User Defined Integrity: User based data checks

Checks improve: Stability, Performance, Re-Usability and Maintainability

Query Language Types

• Data Definition Language: Used to define the structions in the database (CREATE, ALTER, DROP)

• Data Manipulation Language: Used for selecting/inserting etc (SELECT, DELETE, INSERT, UPDATE)

ACID Model

• Atomicity: If any part of the transaction fails, the whole transaction fails

• Consistency: The database must be consistent with rules, before and after transactions

• Isolation: All transactions must be separate (cannot modify the same data)

• Durability: Committed transactions must be preserved

Software Module Terms

• Coupling: Degree of interdependance between software modules

• Cohesion: Degree to which two elements belong together (Low Coupling, High cohesion is desirable)

• Object-Oriented Analysis and Design (OOAD): Model of continuous iteration, using analysis models

• Analysis (OOA): Identifies Requirements Design (OOD): Translates Analysis into design, considering constraints

Object Request Brokers

• DCOM (Distributed COM): Network'ed COM, adds comms over networks. Slowly being relaced with .NET

• OLE (Object Linking and Embedding: A way to link docuents to other documents

• CORBA (Common Object Request Broker Architecture): Vendor neutral ORB, using an object oriented model (can be used on non-OOB DBs though)

OWASP Top 10 (1 - 5)

	2021	2021 Mitigations
1	Broken Access Control	Centralized, consistent Access controls
2	Cryptographic Failures	Ensure encryption in transit and at rest, disable old Encryption, cache appropriately
3	Injection	Input validation, use Common Gateway Interface
4	Insecure Design	Use Secure Design Patterns and Reference Architectures. Pen-tests
5	Security Misconfiguration	Server Hardening, Patching

OWASP Top 10 (6 - 10)

	2021	2021 Mitigations
6	Vulnerable / Outdated Components	Patching, Vulnerability Scanning, Code/dependency Inventories
7	Identification and Authentication Failures	MFA, Appropriate session/token lifetimes, appropriate storage (no plain text), strong defaults, alert on failures
8	Software and Data Integrity Failures	Use Signatures to verify libraries, use trusted repos, check dependencies for vulnerabilities, ACLs on CI/CD
9	Security Logging and Monitoring Failures	Ensure Logs and audit trails are kept appropriate. Ensure IR / DR Plans in place
10	Server Side Request Forgery	Segment remote resources into separate networks. Validate client supplied data to prevent forgery

Capability Maturity Model

• Level 1 (Initial): Undocumented, ad-hoc processes, uncontrolled and reactive

• Level 2 (Repeatable): Some processes repeatible, with consistent results, often reactive

• Level 3 (Defined): Sets defined, documented/standardized processes. Organization is proactive

• Level 4 (Managed/Capable): Processes are measure (ie metrics) and controlled

• Level 5 (Optimizing): Processes focus on continuous improvement

CMMI (Capability Maturity Model Integration)

Used to Categorize/divide projects amongst the organization

Components:

• Maturity Levels

• Process Areas: eg. Configuration Management

• Practice Areas: ie. who does it. eg. Support, Project Management, Engineering

Software Assurance Maturity Model

OWASP authored model which categorizes areas into verticals. Each Vertical Category has different maturity levels, with increasing requirements

• Governance: Strategy, Policy/Compliance, Education/Guidance

• Design: Threat Assessment, Security Requirements, Security Architecture

• Implementation: Secure Build, Deployment, Defect Management

• Verification: Architecture Assessment, Requirement testing, security testing

• Operations: Incident Management, Environment Management, Ops Management

Used as a GAP analysis. Assumes an organizations behaviour changes slowly over time, changes must be iterative and tailored

Software Evaluation Terms

• COTS: Commercial Off The Shelf software

• RTM: Requirements traceability Matrix (ie must have, nice to have etc)

• Community Cloud: Private cloud used by a specific community of organizations/consumers

Software Component Analysis (SCA)

Tools that identify external components in software. Enables early risk detection and continuous monitoring

AI Terms

• ANN (Artificial Neural Network): System learns progressively to improve performance

• GP (Genetic Programming): Programs encoded as a set of genes and then modified/evolved using an algorithm. Good for pre-defined tasks / tree node operations