26,99 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
Extend your software development skills to integrate security into every aspect of your projects. Perfect for any programmer or developer working on mission-critical applications, this hands-on guide helps you adopt secure software development practices. Explore core concepts like security specifi cation, modeling, and threat mitigation with the iterative approach of this book that allows you to trace security requirements through each phase of software development. You won’t stop at the basics; you’ll delve into multiple-layer att acks and develop the mindset to prevent them. Through an example application project involving an entertainment ticketing software system, you’ll look at high-profi le security incidents that have aff ected popular music stars and performers. Drawing from the author’s decades of experience building secure applications in this domain, this book off ers comprehensive techniques where problem-solving meets practicality for secure development.
By the end of this book, you’ll have gained the expertise to systematically secure software projects, from crafting robust security specifi cations to adeptly mitigating multifaceted threats, ensuring your applications stand resilient in the face of evolving cybersecurity challenges.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 287
Veröffentlichungsjahr: 2024
Ähnliche
Security-Driven Software Development
Learn to analyze and mitigate risks in your software projects
Aspen Olmsted
Security-Driven Software Development
Copyright © 2024 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Kunal Sawant
Publishing Product Manager: Akash Sharma
Book Project Manager: Manisha Singh
Senior Editor: Kinnari Chohan
Technical Editor: Vidhisha Patidar
Copy Editor: Safis Editing
Indexer: Hemangini Bari
Production Designer: Joshua Misquitta
DevRel Marketing Coordinator: Sonia Chauhan
First published: February 2024
Production reference: 1230224
Published by Packt Publishing Ltd.
Grosvenor House
11 St Paul’s Square
Birmingham
B3 1RB, UK
ISBN 978-1-83546-283-6
www.packtpub.com
To my family, Freya, Seamus, and Kirsten. I appreciate how you always believe in me.
Contributors
About the author
Aspen Olmsted is an associate professor and program director at Wentworth Institute of Technology in the computer science department. He obtained a Ph.D. in computer science and engineering from the University of South Carolina. Before his academic career, he was CEO of Alliance Software Corporation. Alliance Software developed N-Tier enterprise applications for the performing arts and humanities market. Dr. Olmsted’s research focus is on the development of algorithms and architectures for distributed enterprise solutions that can guarantee security and correctness while maintaining high availability. Aspen mentors over a dozen graduate and undergraduate students in his Secure Data Engineering Lab each year.
About the reviewer
Alon Hillel-Tuch, a seasoned technical founder, established RocketHub, a notable financial services platform recognized as a Department of State Global Partner in 2015. His expertise extends to being Managing Partner of an early-stage venture fund focused on govtech, infrastructure, and frontier technologies. Renowned for his insights into startup investment structures, Alon has testified twice before the U.S. Congress on innovation, regulation, and digital security, and spearheaded FINRA's Capital Market Series XVII. He is a founding board member of the Forbes Technology Council and the Crowdfunding Professional Association. Alon holds an M.Sc. in Negotiation and Conflict Resolution from Columbia University and an M.Sc. in Cybersecurity from New York University.
Table of Contents
Preface
Part 1: Modeling a Secure Application
1
Security Principles
What could go wrong?
Principles
Open Web Application Security Project
NIST’s Secure Software Development Framework
MITRE frameworks
Software development lifecycles
Microsoft’s Security Development Lifecycle
Confidentiality, integrity, and availability
Summary
Self-assessment questions
Answers
2
Designing a Secure Functional Model
Requirements gathering and specification
Non-functional requirements and security
Capturing scenarios
Textual use cases and misuse cases
Graphical use cases and misuse cases
Graphical use case diagram
Graphical misuse case diagram
Example enterprise secure functional model
Purchase of tickets via self-service
Trying to purchase tickets beyond the patron limit
Summary
Self-assessment questions
Answers
3
Designing a Secure Object Model
Identify objects and relationships
Class diagrams
Stereotypes
Invariants
Example of the enterprise secure object model
Summary
Self-assessment questions
Answers
4
Designing a Secure Dynamic Model
Technical requirements
Object behavior
Modeling interactions between objects
UML sequence diagrams
UML activity diagrams
Constraints
Example of the enterprise secure dynamic model
Summary
Self-assessment questions
Answers
5
Designing a Secure System Model
Partitions
Modeling interactions between partitions
UML component diagrams
Patterns
Example – developing an enterprise secure system model
Summary
Self-assessment questions
Answers
6
Threat Modeling
Threat model overview
The STRIDE threat model
The DREAD threat model
Attack trees
Mitigations
Microsoft Threat Modeling Tool
Example of an enterprise threat model
Summary
Self-assessment questions
Answers
Part 2: Mitigating Risks in Implementation
7
Authentication and Authorization
Authentication
Authorization
Security Models
Single sign-on and open authorization
Single sign-on (SSO)
Open authorization (OAuth)
Implementing SSO and OAuth with Google
Example of enterprise implementation
Summary
Self-assessment questions
Answers
8
Input Validation and Sanitization
Input validation
Input sanitization
Language-specific defenses
Buffer overflows
Example of the enterprise input validation and sanitization
Summary
Self-assessment questions
Answers
9
Standard Web Application Vulnerabilities
Injection attacks
Broken authentication and session management
Request forgery
Language-specific defenses
Example of enterprise web defenses
Summary
Self-assessment questions
Answers
10
Database Security
Overview of SQL
SQL injection
Maintaining database correctness
Managing activity concurrency
Language-specific defenses
RBAC security in DBMS
Encryption in DBMS
An example of enterprise DB security
Summary
Self-assessment questions
Answers
Part 3: Security Validation
11
Unit Testing
The principles of unit testing
The advantages of unit testing
Unit testing frameworks
An example of enterprise threat model
PHPUnit
JUnit
PyUnit
Summary
Self-assessment questions
Answers
12
Regression Testing
Regression testing overview
Key concepts
Process
Benefits
Robotic process automation
The intersection of RPA and regression testing
Regression testing tools
Load testing
Integration and complementarity
UI.Vision RPA
Example of the enterprise regression tests
Summary
Self-assessment questions
Answers
13
Integration, System, and Acceptance Testing
Types of integration tests
Mocks
Stubs
Examples of enterprise integration testing
System testing
Acceptance testing
Summary
Self-assessment questions
Answers
14
Software Penetration Testing
Types of tests
Phases
Tools
Information gathering and reconnaissance
Vulnerability analysis and exploitation
Post-exploitation and privilege escalation
Network sniffing
Forensics and monitoring
Reporting and documentation
An example of an enterprise penetration test report
High-level summary
Host analysis
Summary
Self-assessment questions
Answers
Index
Other Books You May Enjoy
Part 1: Modeling a Secure Application
The first part of this book drills into modeling a secure application so we can identify the risks to our application before we start our implementation. The process is iterative, so we’ll revisit previous models as we add knowledge about new models.
This part has the following chapters:
Chapter 1, Security Principles and ProceduresChapter 2, Designing a Secure Functional ModelChapter 3, Designing a Secure Object ModelChapter 4, Designing a Secure Dynamic ModelChapter 5, Designing a Secure System ModelChapter 6, Threat Modeling1
Security Principles
Software development security principles are guidelines and best practices that help ensure the security of software applications throughout their development life cycle. These principles are essential for protecting sensitive data, preventing security breaches, and maintaining users’ trust.
In this chapter, we’re going to cover security principles by looking at the following main topics:
What could go wrong?PrinciplesOpen Web Application Security ProjectNIST’s Secure Software Development FrameworkMITRE frameworksSoftware development life cyclesMicrosoft’s Security Development LifecycleConfidentiality, integrity, and availability in software developmentThe goal of the chapter is to give you a good foundation of some secure software terminology along with an understanding of the current state of the practice. We will reference the topics of this chapter in future chapters.
What could go wrong?
Over the past few decades, there have been tens of thousands of successful malicious software security attacks. These include a data attack that affected approximately 40 million Target customers, the Facebook-Cambridge Analytica scandal in 2018, which involved unauthorized access to user data through a third-party app’s API, and an XSS scripting attack that, within 20 hours, infected over one million Myspace profiles.
Hundreds of thousands of unintended user mistakes are due to poorly designed or implemented software. These mistakes often go unreported, even though the software or experiment may fail, or humans are harmed. Some examples include NASA’s Mars Climate Orbiter, where the spacecraft’s navigation software used metric units, while ground control provided data in imperial units. This mismatch resulted in incorrect calculations, causing the orbiter to approach Mars at too low an altitude, ultimately leading to its failure. Another example is Ariane 5’s flight 501, where the rocket’s inertial reference system software failed due to a data conversion error. The software was reused from the previous Ariane 4 model but proved incompatible with the higher velocity of Ariane 5. This led to a catastrophic failure within 40 seconds of liftoff.
The most well-known error from poorly designed software was the Therac-25 radiation therapy machine, where the software and hardware design flaws in the Therac-25 medical device led to patients receiving massive overdoses of radiation. The software allowed for race conditions, and insufficient testing failed to catch critical errors in the system.
Unintended programmer mistakes often lead to both malicious and unintended software failures. An excellent example is when a programming mistake in the OpenSSL cryptographic software led to the Heartbleed bug. This flaw allowed attackers to read sensitive data from the memory of thousands of web servers, compromising user privacy.
Principles
Software security principles are fundamental guidelines and best practices that help design, develop, and maintain secure software systems. These principles aim to protect software applications and their data from a wide range of threats and vulnerabilities. Here are some fundamental software security principles:
Least privilege: Give individuals or processes only the minimum access and permissions they need to perform their tasks. This principle reduces the potential for unauthorized access or abuse of privileges.Defense in depth: Implement multiple security controls and safeguards layers rather than relying solely on a single security measure. This approach helps to mitigate risks and reduce the impact of security breaches.Fail-safe defaults: Configure systems and applications to operate securely by default. Fail-safe defaults mean that if a configuration or access control is not explicitly defined, it should be denied or disabled.Input validation: Validate and sanitize all user inputs to prevent injection attacks, such as SQL injection and cross-site scripting (XSS). Input validation helps ensure that data is safe before it’s processed.Output encoding: Encode data before it is displayed to users. This encoding prevents attacks such as XSS by ensuring potentially malicious input is treated as data, not code.Secure data storage: Use strong encryption and access controls to protect sensitive data at rest. This principle includes encrypting data in databases, files, and other storage locations.Authentication and authorization: Implement robust authentication mechanisms to verify the identity of users and authorization controls to ensure that users can access only the resources and functionality they are allowed to.Session management: Properly manage and secure user sessions to prevent session fixation, session hijacking, and other session-related attacks.Secure communication: Use secure protocols such as HTTPS to protect data transmitted between clients and servers.Error handling: Implement appropriate error handling and reporting mechanisms to provide minimal information to users while logging detailed error messages for administrators.Secure dependencies: Regularly update and patch all software components and libraries to address known vulnerabilities. Ensure that third-party dependencies are secure and up to date.Security testing: Conduct thorough security testing, including code reviews, penetration testing, and vulnerability scanning, to identify and remediate security issues in the software.Security training and awareness: Promote security awareness among developers, users, and administrators and provide training to ensure they understand and follow security best practices.Incident response: Develop a plan to respond to security breaches and minimize their impact effectively.Security by design: Consider security from the initial stages of software design and architecture rather than attempting to bolt security onto a finished product.Secure development life cycle: Implement a secure software development life cycle (SDLC) incorporating security activities at each development phase, from requirements to deployment.Threat modeling: Identify and assess potential threats and vulnerabilities specific to your application, allowing you to address security issues proactively.These principles provide a foundation for building and maintaining secure software applications. They should be integrated into the development process and adapted to each application’s specific requirements and threat landscape. By following these principles, software developers and organizations can reduce the risk of security breaches and protect their applications and users. Next, we will look at a few specific frameworks to see how they tackle these important software security principles.
Open Web Application Security Project
When considering software security principles, you must reference Open Web Application Security Project (OWASP) terminology. OWASP is an online community and organization that focuses on web application security. OWASP is known for its extensive collection of resources and tools related to web application security, which are freely available to the public. The primary goal of OWASP is to improve software security by providing knowledge and tools that help organizations and individuals develop and maintain secure web applications.
Some of the critical activities and resources associated with OWASP include the following:
Top 10: This is a regularly updated list of the top 10 most critical web application security risks. It serves as a guide for developers and organizations to prioritize their security efforts.Projects: OWASP sponsors and supports various open source projects related to web application security. These projects cover various security topics, including secure coding, vulnerability scanning, and penetration testing.Web application security testing: OWASP offers guidelines, tools, and resources for testing the security of web applications, helping organizations identify and address vulnerabilities.Cheat sheets: These practical guides and checklists provide developers and security professionals with best practices and recommendations for secure coding and testing.Web security testing guide: This comprehensive guide provides information on conducting security assessments and testing web applications for vulnerabilities.AppSensor: This is a project that focuses on the detection and response to application-level attacks, guiding on implementing real-time application security monitoring.Chapters and conferences: OWASP has local chapters and organizes events and conferences worldwide, facilitating the exchange of knowledge and best practices in web application security.Software Assurance Maturity Model (SAAM): SAAM is a framework for organizations to evaluate and improve their software security practices.OWASP’s work is widely respected in the cybersecurity community, and its resources are commonly used by developers, security professionals, and organizations to enhance the security of web applications. OWASP operates on a community-driven and open source philosophy, making its resources and knowledge accessible to everyone interested in web application security.
NIST’s Secure Software Development Framework
The National Institute of Standards and Technology (NIST) released various guidelines and frameworks for secure software development. One of the critical resources NIST provides is the NIST Secure Software Development Framework (SSDF), designed to help organizations enhance the security of their software development processes. Here’s an overview of the NIST SSDF:
Secure software development guidelines: NIST’s SSDF provides guidance on secure software development practices. It covers many topics, including requirements analysis, design, coding, testing, deployment, and maintenance, with a strong focus on security.Secure software development principles: The framework promotes fundamental security principles and best practices to be integrated into every phase of the software development life cycle. These principles include secure coding, security testing, threat modeling, and secure software architecture.Security standards and references: NIST’s SSDF references various security standards, guidelines, and resources that can help organizations implement secure software development practices effectively. SSDF includes NIST Special Publications, industry standards, and other authoritative sources.Security risk management: The framework emphasizes the importance of risk management throughout the software development process. It encourages organizations to identify, assess, and mitigate security risks associated with their software projects.Integration with existing processes: NIST’s SSDF is designed to be flexible and adaptable. Organizations can integrate its guidance and recommendations into their software development processes, including Agile and DevOps methodologies.Security training and awareness: The framework underscores the significance of training and raising awareness among developers, testers, and other stakeholders regarding secure coding practices and the implications of security vulnerabilities.Security metrics and measurement: NIST’s SSDF encourages organizations to define and track security metrics to assess the effectiveness of their secure software development initiatives. Metrics can help identify areas for improvement and evaluate the impact of security measures.Secure SDLC: NIST’s SSDF promotes incorporating security activities into the entire SDLC, from initial planning and requirements to post-deployment maintenance and monitoring.Continuous improvement: The framework emphasizes continuous improvement by learning from security incidents, security assessments, and feedback from the development process. It encourages organizations to adapt and refine their practices over time.NIST’s SSDF is a valuable resource for organizations seeking to improve the security of their software development processes. It provides a structured approach to integrating security considerations into every phase of the SDLC, ultimately leading to more robust and secure software applications.
Note
Please refer to official NIST publications and resources to get the latest and most detailed information on NIST’s SSDF.
MITRE frameworks
MITRE Corporation is a not-for-profit organization that operates Federally Funded Research and Development Centers (FFRDCs) in the United States. One of MITRE’s key contributions to software security is the development and maintenance of the Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) standards:
1. CWE:
Purpose: CWE is a community-developed dictionary of common software weaknesses that can lead to security vulnerabilities. It provides a standardized way to identify, describe, and categorize software weaknesses.Use cases: Developers, security professionals, and researchers use CWE to identify and mitigate vulnerabilities during the SDLC. It aids in improving the security of software by providing a common language for discussing and addressing weaknesses.2. CVE:
Purpose: CVE is a standardized identifier system for publicly known security vulnerabilities. Each CVE entry includes a unique identifier, a description of the vulnerability, and references to resources that provide additional information.Use cases: CVE is widely used in the cybersecurity community for tracking and referencing vulnerabilities. Security researchers, vendors, and organizations use CVE identifiers to communicate about specific security issues consistently.3. MITRE ATT&CK framework:
Purpose: The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a knowledge base that describes the actions and behaviors of cyber adversaries. It provides a comprehensive view of adversaries’ various tactics and techniques to achieve their objectives.Use cases: Security professionals, threat hunters, and incident responders use the ATT&CK framework to enhance their understanding of cyber threats and to improve defenses. It helps organizations assess their security postures and responses to different adversary behaviors.MITRE’s contributions to software security, mainly through CWE and CVE, play a crucial role in standardizing the identification and communication of vulnerabilities. These efforts contribute to a more secure and resilient software ecosystem by providing a common foundation for addressing weaknesses and sharing information about security threats and exposures.
Software development lifecycles
SDLCs are systematic processes or methodologies that software development teams use to plan, design, build, test, deploy, and maintain software applications. These life cycles help ensure that software projects are completed efficiently, on time, and within budget while meeting the specified requirements and maintaining high quality. There are several different SDLC models, and the choice of which one to use depends on the project’s needs and requirements. Here are some of the most common SDLC models:
Waterfall model: The Waterfall model is a sequential set of steps involved in software development. It divides the project into distinct phases: requirements, design, implementation, testing, deployment, and maintenance. Each phase must be completed before the next one begins, and it is challenging to make changes after a phase is complete. It is well-suited for projects with well-defined requirements that are unlikely to change.Agile model: Agile is an iterative and incremental software development approach focusing on flexibility and customer collaboration. It breaks the project into smaller, manageable iterations, often called sprints. Requirements and solutions evolve through the collaborative effort of self-organizing, cross-functional teams. It is well-suited for projects with evolving or unclear requirements.Scrum: Scrum is a specific framework within the Agile methodology that provides a set of roles, ceremonies, and artifacts for managing work. It emphasizes regular, time-boxed meetings and the continuous delivery of a potentially shippable product increment. Scrum teams work in short cycles, typically two to four weeks, called sprints.Kanban: Kanban is another Agile approach that visualizes the workflow and manages work in progress. It uses a Kanban board to represent tasks or user stories as cards that move through columns representing different stages of development. Teams pull work from a backlog as capacity allows.Iterative model: The Iterative model involves repeating cycles (iterations) of development, where a subset of the software’s features is developed and tested in each iteration. It allows for changes and improvements to be made during each iteration. It is well-suited for projects that can benefit from ongoing refinement and feedback.Spiral model: The Spiral model is a combination of the Waterfall model with iterative and risk-driven development. It involves repeated planning cycles, risk analysis, engineering, and testing. It is well-suited for large and complex projects where risk management is a priority.DevOps: DevOps is not a traditional SDLC but a set of practices emphasizing close collaboration between development and operations teams. It aims to automate the deployment and operations of software to improve the speed and reliability of software delivery.V-Model (Validation and Verification model): The V-Model is an extension of the Waterfall model, emphasizing the relationship between each development phase and its corresponding testing phase. Each development phase has a corresponding testing phase, resulting in a V-shaped diagram.Rapid application development (RAD): RAD is an incremental, fast-paced SDLC model focusing on rapid prototyping and quick feedback. It is well-suited for projects that require a fast time-to-market.Big Bang model: The Big Bang model is an informal and unstructured approach where developers start coding without a specific plan or methodology. It is rarely used for large or critical projects but may be used for small, experimental projects.The choice of which SDLC model to use depends on project requirements, the development team’s experience, project size, budget, and the need for flexibility or predictability. Many organizations also customize or combine these models to create a hybrid SDLC that best suits their needs. Independent of the model used, the models used in this book are still developing. The scope of the model’s work is different, but all SDLC models will still support and benefit from the methodology described in this book.
Microsoft’s Security Development Lifecycle
The Microsoft Security Development Lifecycle (SDL) is a set of practices and guidelines that Microsoft has developed and implemented to improve the security of its software products. The SDL is designed to ensure that security is integral to the software development process from the beginning. It includes a set of best practices, tools, and processes that help identify and address security vulnerabilities at all stages of software development. Here are some critical aspects of the Microsoft SDL:
Training and education: The SDL emphasizes training and education for developers and other stakeholders to raise awareness of security issues and best practices. The training includes secure coding training and security awareness programs.Threat modeling: One of the critical elements of the SDL is threat modeling, which involves identifying potential threats and vulnerabilities in the design and architecture of the software. By understanding these threats early in the development process, security measures can be implemented to mitigate them.Static analysis tools: Microsoft uses static code analysis tools to automatically scan code for security vulnerabilities. These tools can help detect buffer overflows, SQL injection, and other standard security problems.Security code reviews: Manual code reviews are essential to the SDL. Developers and security experts review code to identify security issues that automated tools might miss.Penetration testing: Penetration testing is conducted to identify vulnerabilities and weaknesses in the software. It involves trying to exploit the software in a controlled manner to discover potential security flaws.Security design and review: The SDL includes security design reviews to assess the software’s architecture and design security. Any issues identified during these reviews are addressed before implementation.Security testing: Comprehensive security testing is performed throughout development to find and remediate vulnerabilities. This testing includes dynamic application security testing (DAST) and fuzz testing. We will discuss automated testing more in Chapters 11 to 14, where we discuss software valuation and penetration testing.Incident response planning: The SDL includes planning for security incident response. This planning ensures the development team is prepared to respond effectively to security incidents or breaches.Compliance and privacy: The SDL considers regulatory compliance and privacy requirements. This process helps ensure that Microsoft’s software products meet legal and privacy standards.Security updates and patching: Microsoft is committed to providing timely security updates and patches for its products. This process is a crucial aspect of maintaining software security post-release.Continuous improvement: The SDL is a continuously evolving process. Microsoft incorporates feedback and lessons learned into each iteration of the SDL to improve security practices.Microsoft’s adoption of the SDL has not only improved the security of its software products but has also positively influenced the software development industry as a whole. Microsoft has made many of its SDL resources and tools available to the public, allowing other organizations to implement similar practices and enhance the security of their software development processes. The process described in this book aims to be closer to the source code and cover more lines of code than the Microsoft model.
Confidentiality, integrity, and availability
CIA is an acronym representing the core principles of information security: confidentiality, integrity, and availability. These principles are fundamental to designing and implementing secure systems and are often called the CIA triad:
Confidentiality ensures that information is only accessible to those with authorized permissions. Software security involves encryption, access controls, and user authentication to protect sensitive data from unauthorized access.Integrity ensures that information remains accurate and unaltered during storage, processing, or transmission. In software security, techniques such as data validation, checksums, digital signatures, and version control are used to maintain data and software integrity.Availability ensures that information and resources are available and accessible when needed. Software security involves measures to prevent and mitigate disruptions, such as redundancy, failover systems, and robust backup procedures, to ensure that software and data are available despite attacks or failures.These principles guide the development of security policies, practices, and technologies to protect against various threats, including unauthorized access, data breaches, and service disruptions. Security professionals and developers often use the CIA triad as a framework to assess and enhance the security posture of software systems. Many of the historical software security issues discussed in the What can go wrong? section earlier all point back to these three categories of issues.
Summary
This chapter introduced secure software development principles. We looked at some organizations supporting the secure software development process, including OWASP and NIST. We also discussed the standard principles recognized by most secure developers. Next, we examined differences in different software development models and realized that the methodology presented in this book will work with all the different life cycles, independent of which are used. Lastly, we explored the Microsoft SDL and compared the approach presented in this book.
In the next chapter, we will look at building a more extensive example project based on what we have learned.
