Designing security into our software

The more breaches and compromises, the more we see the move towards security being part of the scope of the software design project.
We use software at our jobs, our personal lives, our homes, cars, power, water...
It is everywhere. And it has been, and still is, common to write functional code. Security is an afterthought, or not considered at all.
A large part of our defense-in-depth is to protect our assets, but ultimately most of it is to protect our data/software.
Software with security built in is much securer than software where it is added on later.
It is common for programmers to make 15-50 mistakes per 1,000 lines of code. If using a programming maturity framework, we can lower that to 1 error per 1,000 lines of code.
Most of the errors are not a vulnerability, or really a concern, but the more we use software in everything, the more critical the vulnerabilities become.
Hacks have accelerated and stopped cars on highways, had planes change course (hacked through bad security on the in-flight entertainment), power grids, elections...

Programming concepts

Machine Code

Software executed directly by the CPU, 0's and 1's understood by the CPU.

Source Code

Computer programming language, written in text and is human understandable, translated into machine code.

Assembler Language

Short mnemonics like ADD/SUB/JMP, which are matched with the full length binary machine code; assemblers convert assembly language into machine language. A disassembler does the reverse.

Compiler Languages

Translates the higher level language into machine code and saves, often as executables, compiled once and run multiple times.

Interpreted languages

Similar to compiler languages, but interprets the code each time it is run into machine code.

Bytecode

An interpreted code, in intermediary form, converted from source code to interpreted, but still needs to be converted into machine code before it can run on the CPU.

Procedural languages (Procedure-oriented)

Uses subroutines, procedures and functions.

Object-oriented Programming (OOP)

Based on the concept of objects, which may contain data, in the form of fields, often known as attributes, and code, in the form of procedures, often known as methods.
An object's procedures can access and often modify the data fields of the objects with which they are associated.
In OOP, computer programs are designed by making them out of objects that interact with one another.

4th Generation languages (4GL)

Fourth-generation languages are designed to reduce programming effort and the time it takes to develop software, resulting in a reduction in the cost of software development.
Increases the efficiency by automating the creation of machine code.
Often uses a GUI, drag and drop, and then generating the code, often used for websites, databases and reports.

Programming languages and generations

1^st generation: Machine Code
2^nd Generation: Assembler
3^rd Generation: Cobol, basic, C, C++, C#, Java, JavaScript, …
4^th Generation: ColdFusion, Progress 4GL, SQL, PHP, Perl,

Programming concepts

CASE (Computer-Aided Software Engineering):
Similar to and were partly inspired by computer-aided design (CAD) tools used for designing hardware products.
Used for developing high-quality, defect-free, and maintainable software.
Often associated with methods for the development of information systems together with automated tools that can be used in the software development process.
CASE software is classified into 3 categories:
- - Tools support specific tasks in the software life-cycle.
  - Workbenches combine two or more tools focused on a specific part of the software life-cycle.
  - Environments combine two or more tools or workbenches and support the complete software life-cycle.

Top-Down Programming

Starts with the big picture, then breaks it down into smaller segments.
An overview of the system is formulated, specifying, but not detailing, any firstlevel subsystems.
Each subsystem is then refined in yet greater detail, sometimes in many additional subsystem levels, until the entire specification is reduced to base elements.
Procedural programming leans toward Top-Down, you start with one function and add to it.

Bottom-Up Programming

Piecing together of systems to build more complex systems, making the original systems a sub-system of the overarching system.
The individual base elements of the system are first specified in great detail, they are then linked together to form larger subsystems, which then in turn are linked, sometimes in many levels, until a complete top-level system is formed.
OOP leans tends toward Bottom-Up, you start by developing your objects and build up.

Software release

Open source: We release the code publicly, where it can be tested, improved and corrected, but it also allows attackers to find the flaws in the code.
Closed Source: We release the software, but keep the source code a secret, may be sound business practice, but can also be security through obscurity.
Proprietary software: Software protected by intellectual property and/or patents, often used interchangeably with Closed Source software, but it really is not. It can be both Open and Closed Source software.
Any software not released into the public domain is protected by copyright.

Free software

Freeware: Actually free software, it is free of charge to use.
Shareware: Fully functional proprietary software that is initially free to use.
Often for trials to test the software, after 30 days you have to pay to continue to use.
Crippleware: Partially functioning proprietary software, often with key features disabled. The user is required to make a payment to unlock the full functionality.

EULAs (End-User License Agreements)

Electronic form where the user clicks “I agree” to the software terms and conditions while installing the software

Software licenses

Open source software can be protected by a variety of licensing agreement.

GNU (General Public License): Also called GPL or GPL

Guarantees end users the freedom to run, study, share and modify the software.
A copyleft license, which means that derivative work can only be distributed under the same license terms.

BSD (Berkeley Software Distribution):

A family of permissive free software licenses, imposing minimal restrictions on the use and redistribution of covered software.
This is different than copyleft licenses, which have reciprocity share-alike requirements.

Apache:

Software must be free, distribute, modify and distribute the modified software.
Requires preservation of the copyright notice and disclaimer.

Software Development Methodologies

There is a wide range of software development methodologies used today.
In the past the Waterfall method was widely used, it is a very linear process, and does not work very well with the iterative nature of software development.
To remedy that problem other methods were developed Spiral, Sashimi, Agile and Scrum.
The individual phases are different from organization to organization, understand how each methodology works and the phases flow.

Waterfall

Very linear, each phase leads directly into the next.
The unmodified waterfall model does not allow us to go back to the previous phase.

Sashimi model (Waterfall with overlapping phases)

Similar to waterfall, but we always have 2 overlapping phases, if we close one phase, we add the next phase.
The modified waterfall model allows us to go back to the previous phase but no further.

Agile software development

Describes a set of values and principles for software development under which requirements and solutions evolve through the collaborative effort of self-organizing cross-functional teams.
Uses adaptive planning, evolutionary development, early delivery, and continuous improvement, and it encourages rapid and flexible response to change.
There are many types of agile, for the exam know the flow.

Manifesto for Agile Software Development:

What is valued in the manifesto:
- - Individuals and Interactions more than processes and tools.
  - Working Software more than comprehensive documentation.
  - Customer Collaboration more than contract negotiation.
  - Responding to Change more than following a plan.
The twelve principles in the manifesto:

1. Customer satisfaction by early and continuous delivery of valuable software.

2. Welcome changing requirements, even in late development

3. Working software is delivered frequently (weeks rather than months).

4. Close, daily cooperation between business people and developers.

5. Projects are built around motivated individuals, who should be trusted.

6. Face-to-face conversation is the best form of communication (co-location).

7. Working software is the primary measure of progress.

8. Sustainable development, able to maintain a constant pace.

9. Continuous attention to technical excellence and good design.

10. Simplicity—the art of maximizing the amount of work not done—is essential.

11. Best architectures, requirements, and designs emerge from self-organizing teams.

12. Regularly, the team reflects on how to become more effective, and adjusts accordingly.

Scrum

Scrum is a framework for managing software development. Scrum is designed for teams of approximately 10 individuals, and generally relies on two-week development cycles, called "sprints", as well as short daily stand-up meetings.

The three core roles in the Scrum framework.

The product owner: Representing the product's stakeholders, the voice of the customer, and is accountable for ensuring that the team delivers value to the business.
Development team: Responsible for delivering the product at the end of each sprint (sprint goal).
- - The team is made up of 3–9 individuals who do the actual work (analysis, design, develop, test, technical communication, document, etc.).
  - Development teams are cross-functional, with all of the skills as a team necessary to create a product increment.
Scrum master:
- - Facilitates and accountable for removing impediments to the ability of the team to deliver the product goals and deliverables.
  - Not a traditional team lead or project manager but acts as a buffer between the team and any distracting influences.
  - The scrum master ensures that the Scrum framework is followed.

XP (Extreme programming)

Intended to improve software quality and responsiveness to changing customer requirements.
Uses advocates frequent releases in short development cycles, intended to improve productivity and introduce checkpoints at which new customer requirements can be adopted.
XP uses:
- Programming in pairs or doing extensive code review.
- Unit testing of all code.
- Avoiding programming of features until they are actually needed.
- Flat management structure.
- Code simplicity and clarity.
- Expecting changes in the customer's requirements as time passes and the problem is better understood.
- Frequent communication with the customer and among programmers.

The spiral model

A risk-driven process model generator for software projects.
The spiral model has four phases: Planning, Risk Analysis, Engineering and Evaluation.
A software project repeatedly passes through these phases in iterations (called Spirals in this model).
The baseline spiral, starting in the planning phase, requirements are gathered and risk is assessed.
Each subsequent spiral builds on the baseline spiral.

RAD (Rapid Application Development)

Puts an emphasis on adaptability and the necessity of adjusting requirements in response to knowledge gained as the project progresses.
Prototypes are often used in addition to or sometimes even in place of design specifications.
Very suited for developing software that is driven by user interface requirements.
GUI builders are often called rapid application development tools.

Prototyping

Breaks projects into smaller tasks, creating multiple prototypes of system design features.
A working model of software with some limited functionality, rather than designing the full software up front.
Has a high level of customer involvement, the customer inspects the prototypes to ensure that the project is on track and meeting its objective.

SDLC (Software Development Life Cycle)

The SDLC is not really a methodology, but a description of the phases in the life cycle of software development.
These phases are (in general), investigation, analysis, design, build, test, implement, maintenance and support (and disposal).
Can have security built into each step of the process, for the exam it always does.
If an answer about SDLC does not list secure or security, it would be wrong and can be eliminated.
Has a number of clearly defined and distinct work phases which are used by systems engineers and systems developers to plan for, design, build, test, and deliver information systems.
The aim is to produce high-quality systems that meet or exceed customer expectations, based on customer requirements, by delivering systems which move through each clearly defined phase, within scheduled time frames and cost estimates.
SDLC is used during the development of a project, it describes the different stages involved in the project from the drawing board, through the completion of the project.
All software development methodologies follow the SDLC phases but the method of doing that varies vastly between methodologies.
Many different SDLC methodologies have been created, Waterfall, Spiral, Agile, Rapid Prototyping, ...
In Scrum project a single user story goes through all the phases of the SDLC within a single two-week sprint, where Waterfall projects can take many months or several years to get through the phases.
While very different they both contain the SDLC phases in which a requirement is defined, then pass through the life cycle phases ending in the final phase of maintenance and support.

Projects, programs and portfolios

A project is a temporary endeavor, with a finite start and end that is focused on creating a unique product, service, or result.
A program is a collection of related projects.
- Like a project, a program is temporary, when the collection of projects are complete, the program is complete.
A portfolio is a collection of projects and programs that are managed as a group to achieve strategic objectives.

IPT (Integrated Product Team)

A multidisciplinary group of people who are collectively responsible for delivering a defined product or process.
IPTs are used in complex development programs/projects for review and decision making.
The emphasis of the IPT is on involvement of all stakeholders (users, customers, management, developers, and contractors) in a collaborative forum.
IPTs can be addressed at the program level, there may also be Oversight IPTs (OIPTs), or Working-level IPTs (WIPTs).
IPTs are created most often as part of structured systems engineering methodologies, focusing attention on understanding the needs and desires of each stakeholder.

Source code escrow

The deposit of the source code of software with a third party escrow agent.
Escrow is typically requested by a party licensing software (the licensee), to ensure maintenance of the software instead of abandonment or orphaning.
The software source code is released to the licensee if the licensor files for bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement.

Source code repositories

Using public third party code repositories comes with some security concerns.
Other than the provider security, one of the most important controls is using multi-factor authentication.
File archive and web hosting facility where a large amount of source code, for software or for web pages, is kept, either publicly or privately.
They are often used by open-source software projects and other multideveloper projects to handle various versions. They help developers submit patches of code in an organized fashion.

API Security (Application Programming Interface)

Allows an application to communicate with another application, operating systems, databases, networks, ...
Many applications use API's, this could be to add super sign-on, integrate 2 applications, or many other things, ...
They are a good example of how we integrate for better usability, but often security is overlooked.
API's are the cause of a number of recent high-profile website security breaches including SnapChat, Pinterest and Instagram.
We will cover the OWASP top 10 web vulnerabilities in domain 2.
OWASP also has an Enterprise Security API Toolkits project, which includes these critical API controls:
Authentication, Access control, Input validation, Output encoding/escaping, Cryptography, Error handling and logging, Communication security, HTTP security and Security configuration.

Software Change and Configuration Management

Earlier in this domain we covered how software development has a lifecycle, and in Domain 3 we will cover configuration and change management.
Both change and configuration management are very applicable to our software development process, all the way from investigation/initiation to disposal of the software.
As with many of the concepts we cover they are to some extend logical, configuration management tracks changes to a specific piece of software where change management is all changes in the entire software development process.

Software Change and Configuration Management

NIST 80-128: Guide for Security-Focused Configuration Management of Information Systems uses these terms:
A Configuration Management Plan (CM Plan) is a comprehensive description of the roles, responsibilities, policies, and procedures that apply when managing the configuration of products and systems.
The basic parts of a CM Plan include:
Configuration Control Board (CCB) – Establishment of and charter for a group of qualified people with responsibility for the process of controlling and approving changes throughout the development and operational lifecycle of products and systems, may also be referred to as a change control board.
Configuration Item Identification – for selecting and naming configuration items that need to be placed under CM.
Configuration Change Control – Process for managing updates to the baseline configurations for the configuration items.
Configuration Monitoring – Process for assessing or testing the level of compliance with the established baseline configuration and mechanisms for reporting on the configuration status of items placed under CM

DevOps

A software development and delivery process that emphasizes communication and collaboration between product management, software development, and operations professionals in the entire service lifecycle, from design through the development process to production support.

It does this by automating and monitoring the process of software integration, testing, deployment, and infrastructure changes by establishing a culture and environment where building, testing, and releasing software can happen rapidly, frequently, and more reliably.

AI (Artificial intelligence)

Intelligence exhibited by machines, rather than humans or other animals.
What true AI is, is a topic of discussion, what was considered AI years ago we have achieved and when once goal is reached the AI definition is tweaked a little.
From what we are seeing published we do in my mind not currently have true AI, but very highly simulated intelligence, that being said IBM and Google do seem to be getting a lot closer.
It is also used when a machine mimics cognitive functions that humans associate with other human minds, such as learning and problem solving.
AI currently defined as advice that perceives its environment and takes actions that maximize its chance of success at some goal, not through experience/programming, but through reasoning.

Expert systems

A computer system that emulates the decision-making ability of a human expert.
Designed to solve complex problems by reasoning about knowledge, represented mainly as if–then rules rather than through conventional procedural code.
An expert system is divided into two subsystems:
The knowledge base represents facts and rules.
The inference engine applies the rules to the known facts to deduce new facts, and can also include explanation and debugging abilities.

ANN's (Artificial neural networks)

Computing systems inspired by the biological neural networks that constitute animal brains, we make decisions based on 1000’s of memories, stories, the situation and many other factors, the ANN tries to emulate that.
The systems learn and progressively improve their performance, to do tasks, generally without task-specific programming.
They can learn to identify images that contain geckos by analyzing example images that have been manually labeled as "gecko" or "no gecko" and using the analytic results to identify geckos in other images.
They are mostly used in areas that are difficult to express in a traditional computer algorithm using rule-based programming.
An ANN is based on a collection of connected units called artificial neurons.
Each connection (synapse) between neurons can transmit a signal to another neuron.
Typically, neurons are organized in layers, different layers may perform different transformations on their inputs.
Signals travel from the first input, to the last output layer, at times after traversing the layers multiple times.

GP (Genetic Programming)

Technicque

A technique where computer programs are encoded as a set of genes that are then modified (evolved) using an evolutionary algorithm often a GA (Genetic Algorithm).
The results are computer programs able to perform well in a predefined task.
The methods used to encode a computer program in an artificial chromosome and to evaluate its fitness with respect to the predefined task are central in the GP technique and still the subject of active research.
GP evolves computer programs, traditionally represented in memory as tree structures.
Trees can be easily evaluated in a recursive manner.
Every tree node has an operator function and every terminal node has an operand, making mathematical expressions easy to evolve and evaluate.
Traditionally GP favors the use of programming languages that naturally embody tree structures for example, Lisp or other functional programming languages.

Process

The process is in its simple form like this:
Generate an initial population of random computer programs.
Execute each program in the population and assign it a fitness value according to how well it solves the problem.
Create a new population of computer programs.
Copy the best existing programs
Create new computer programs by mutation.
Create new computer programs by crossover.
Genetic Algorithms and Genetic Programming have been used to program a Pac-Man playing program, robotic soccer teams, networked intrusion detection systems, and many others.

Report abuse