CISSP Domain 8: Software Development Security

--- title: " CISSP Domain 8: Software Development Security" description: "CISSP Domain 8: Software Development Security" keywords: "CISSP, Domain 8, Software, Security, SDLC" author: "diabee" date: "2025-01-21" --- ## CISSP Domain 8: Software Development Security ### Understand and integrate security in the Software Development Life Cycle (8.1) And Identify and apply security controls in software development ecosystems (8.2) #### Where Vulnerabilities Live ![image](https://hackmd.io/_uploads/rJAbTsB71l.png) → 系統的漏洞都存在哪裡 - Design (v)→ 成本、挑戰最高 → redesign砍掉重練 - Implementation → 開發的時候，寫的有沒有問題 - Operation → 維護的時候 #### Security of the Software Environment - All - elements, activities, information, people, and systems - that affect a software system - creation, modification, and disposal - throughout the system’s lifecycle of development, operational use, and support ![image](https://hackmd.io/_uploads/ByBmToHX1x.png) SLC 人生 SDLC 懷胎到生出來 → Design和Implement階段 CISSP 重在維運這一塊 → Operation階段 #### Threat（attack surface) Surfaces: Local and the Web ![image](https://hackmd.io/_uploads/Bku4pjBmke.png) #### Executable Content and Mobile Code (like javascript, java applet) Mobile Code → 他是我們用戶在網路上下載可以立刻執行的那一種 - Shared (downloaded) across networks - Content or links to content embedded within other files - Executed by target / client system after download - Java applets, scripts, ActiveX controls, or binaries - Files or byte streams that control apps and systems behavior - Can be legitimate, beneficial — or hostile and harmful - Most come to user endpoints without user knowledge or consent #### Sandboxed → 應用程式執行環境 → 當程式執行完後，關掉沙箱，完全不對系統造成影響，用來保護系統 - Provides a protective area for program execution - Sandbox applets cannot: - Access client resources - Connect to or retrieve resources from any third-party server - Load native libraries - Change the security manager - Create a class loader - Read certain system properties #### Vulnerabilities Across the Cycle of Software Build and Use - Systems becoming far more complex - Vulnerabilities are self-induced(human error) - Analysis and design errors - Programming errors - System test, build , deploy, and support errors --- - Design - Implementation - Operation #### Finding Vulnerabilities: Delays Drive costs to Fix ![image](https://hackmd.io/_uploads/rJx56jrX1x.png) 在越早的階段，修復成本越小寫code跟寫安全的code是不一樣從語法層級來看→ 最邪惡的寫法是”+” 而不用安全的StringBuilder code scanner → 只要你的程式不是按造他的規範下去寫，翻車的機率偏高，通常都會出事 #### The Good News : We Can Make Highly Reliable, Secure Systems - Legal and market forces demand greater security in systems. - Classic errors can be unlearned, prevented, found, and fixed. - You do not have to be a software engineer to help. - Each stage is an opportunity to reduce threat surface - Good (or better) practices exist: - DevSecOps, OWASP #### Architecture and Threat Modeling: Process 設計階段 - Threat modeling → 為了預測攻擊 → 防禦措施 - Multiple layers of threat surface - Early in analysis and design - STRIDE - Spoofing - Tampering - Repudiation - Information disclosure - Denial of service - Elevation of privilege #### Goal: Data-Centric Protection 數據資料 - Protect data from network, system and software threats - Software flaws - Malformed input attacks can force abnormal software behavior - Any data interface, any source, any format #### Software Development Lifecycle (SDLC) Phases (Waterfall) ![image](https://hackmd.io/_uploads/HJ8aTiSm1g.png) ![image](https://hackmd.io/_uploads/rkBC6sSXJe.png) #### Scrum - 快速變動 ![image](https://hackmd.io/_uploads/r1DkCiHXkx.png) Agile 會把專案切成一個小塊 backlog 再分給每個sprint #### Continuous Integration and Continuous Delivery (CI/CD) - Continuous Integration - Buildup of an application from individual software units - Unit code and test, then subsystems build and test - Full-up app testing - Continuous Delivery - Delivery release packages - Deploy to production environment - Execute build / installation process, verify - Enable user access - CI/CD: automate all of that to greatest practical extent - Each step needs coordination and monitor pipeline in action - DevOps - Dev - Test ⇒ CI/CD Pipeline - Opt ![image](https://hackmd.io/_uploads/H1WzAiSQ1e.png) ![image](https://hackmd.io/_uploads/Hyof0sr7yg.png) - DevSecOps → 我在測試的過程中會把安全性要素加入 → 每個階段都會有安全議題 ![image](https://hackmd.io/_uploads/ryp7CorQJg.png) - uacme - cloud native (cncf) → 雲端原生 → 重要 → 高度自動化 #### Choosing a Software Project Life-Cycle Model → Security 用哪個模型是對的？重點不在哪個模型(布瀑、敏捷)，是安全 - Companies tend to combine different methodologies to fit their requirements. - Security must be included regardless of methodologies used. - All stakeholders must be involved in determining requirements. - Industries frequently change what needs are most urgent to deliver. --- - 安全開發會有三個面相切入 - 流程 - System/AP - 語法 #### Secure Software Development Lifecycle (SSDLC) 1. Start security activities as early as possible(”shift to the left”) → 靠左文化 2. Integrates security activities into each other ![image](https://hackmd.io/_uploads/H1eL0oHQkl.png) - SSDLC每個階段要有東西 - 要用BSIMM, SAMM 成熟度模型 #### Requirement Analysis - Traditionally - Functional requirements - Nonfunctional requirements - Identify security requirements #### Design : Threat Modeling (生命週期的講法) - Identify potential software threats and mitigate them - STRIDE as example of a popular threat modeling approach: - Spoofing - Tampering - Repudiation - Information disclosure - Denial of Service - Elevation of privilege --- - 需求階段要做安全性需求 → 安全性需求怎麼解 - 設計階段要做威脅模型 Threat Modeling → Attack → 需求 → Spec (這個就不是走生命週期的流程) S ↔ SDLC Security vs Software 兩個會有衝突為什麼有些人建議用成熟度模型 - 能力好用高一點 - 能力不好就用低一點 ### Define and apply secure coding guidelines and standards (8.5) #### Who Writes Your Source Code? - From most to least trustworthy: - Major hardware and systems vendors - Applications software vendors and platform providers - Third-party developers (customize, tailor, orphan, support) - In-house developers - Open-source providers - Citizen programmers - Mobile code (from others’ systems) #### Coding : Procedural vs. Object-Oriented Concepts - Procedural programming - Modularizes sequences of steps or tasks - Subprograms, subroutines, functions - Object-oriented programming (OOP) - Packages data/attribute with the operations (”methods”) - Classed/subclasses: sets of object definitions - Both support: - Code reuse, data modeling, adding/changing functionality, data quality - Security practices #### OOP characteristics - Software development can be faster, more agile and more resilient - OOP characteristics - Encapsulation(data hiding) - Inheritance - Polymorphism #### Inheritance ![image](https://hackmd.io/_uploads/Hk-nAorXyg.png) #### Polymorphism ![image](https://hackmd.io/_uploads/B1AhAir7Jl.png) #### Common Causes of Software Coding Errors - Poor coding practices → 程式沒寫好，sql injection … - Poorly enforced design/coding standards → 沒有去套用coding standards - Improper use of libraries, open source, APIs, third-party code → 沒有正確去呼叫lib - Poor management of software development processes → 開發流程沒有做妥散控管 coding standards → 會給你語法層級的範例 #### Common Exploitable Software Source Code Errors - Vulnerabilities: - Poor coding practices - Poorly enforced design/coding standards - Improper use of libraries, open source, APIs, third-party code - Poor management of software development processes - Threats that exploit them: - Buffer overflow - Malformed input attacks - Covert channels - Memory or other object reuse #### Common Software Vulnerabilities - System Crash - ACE(arbitrary code execution) - Storage - Timing - Malformed input attacks - Buffer overflow - Covert channels - Trapdoor or backdoor - Memory or other object reuse - object reuse - 使用前：初始值→完整性 - 使用後：敏感資料→機密性 - Social engineering - Race conditions - Time of check vs. Time of use (TOCTOU) #### Buffer Overflow - Most common arbitrary code execution exploit — simple to defend against: - Code - Enforce bounds checking on all data structures (buffers, pointer list, etc.) - Run-time protection - ASLR → 程式每一次執行記憶體位置起始位置都不一樣 - DEP → 乾脆不執行，當系統偵測到系統裡面有可以執行的程式就不執行。？ ![image](https://hackmd.io/_uploads/H1e_xpr7yx.png) System Crash ACE(arbitrary code execution) #### Covert Channels (資料偷出來) - Misuse of feature → enables information transfer that violates security - Types - Storage: File system or file content leaks, misuse; e.g. steganography - Timing : inter-task synchronization (打暗號) #### Race Condition - If multiple threads use a same resource at the same time, a area condition is possible - Attacks take advantage of the dependency on the timing of events that take place in a multitasking operating system - Use locking to avoid race condition - TOCTOU(檢查跟使用的狀態不一致) is an example of race condition - Linux dirty pipe ![image](https://hackmd.io/_uploads/Bk1cl6rQyx.png) https://xiaomiui.net/zh-TW/dirty-pipe-vulnerability-affects-millions-19089/ #### Example of Race Condition ![image](https://hackmd.io/_uploads/ByDsgarXkl.png) #### TOCTOU Attack ![image](https://hackmd.io/_uploads/S1dCeaBmyx.png) #### Source Code Analysis Tools - Analyze source code to help find security flaws. - SAST - Support all SDLC phases, all methodologies - Weakness - Many security vulnerabilities are difficult to find automatically - False positives - Frequently cannot find configuration issues. - Difficulty analyzing code that cannot be compiled. --- - 語法安全問題又分為兩種 - 語法本身的問題 - C/C++、php …etc - 程式使用的問題 - .net、java …etc 你要按照我的規則下去寫code 再去做code scanner會比較好 #### Secure coding Guidelines and Standards - Failed Security - Coding - Preference - Familiarity - Haste - Ignoring best practices - Reusing “first thing found” - Ad hoc approach - Successful Security: - Frameworks, patterns, and templates for proven functions - Enforcement for data typing, range checking - Reuse of proven, trusted libraries, tools - Controlled process for build, test integration, deployment #### Libraries and Toolsets - Libraries: - Prewritten code, classes, procedures, scripts, and their data - Standard (vendor-supported) libraries - Third-party add-on libraries - Open-source libraries - CON: library developer’s shortcuts, errors become your risks. - Toolsets: - Can enhance productivity and security - Configuration management - Builds and controls - IDEs - Audit - Test - Analysis #### Deploy More Securely Using Operating System and Hardware Support - Do: - Task/process privilege - Memory/resource security, isolation, and protection - Integrity, functionality of OS security kernel, reference monitor - Trusted computing base(TCB) modules - Aggressive physical and logical security - Microsegmentation of networks to isolate higher-risk IoT devices - Do not: - Let developers create workarounds to OS-enforced/hardware-supported security **ex: alpine → 可攻擊面積非常小** #### Cryptographic Approaches for More Secure Software - Do: implement and enforce policies to: - Mange digital certificates, cryptographic suite, and keys. - Integrate password/token managers with access control and identity management. - Use hardware security modules for secure, robust key/certificate storage and management. - Harmonize IT systems acquisition process with organizational cryptographic use… - Include citizen developers / BYOx / Shadow IT. - Provide cryptographic support to development, test, and other special environments. - Do not: - Let developers at any level create their own cryptographic solutions. 正確的去用它 ### Assess the effectiveness of software security (8.3) Assess security impact of acquired software (8.4) 安全評估 Domain 6 #### What is Software (Quality) Assurance 品保 - Proper functioning of software systems - Performs all intended/required functions - Does not perform unintended functions - Free from errors at any time during the software lifecycle - Free from (exploitable) security vulnerabilities by design - SQA or software assurance is: - Process: The planned and systematic activities used to achieve assurance - Result: The confidence that results from effective use of the process #### Formal Approaches for Software Assurance - Emphasize record-keeping, audits, inspections, and formalized approval/acceptance decision making - Certification and Accreditation (C&A)：failing out - Risk management frameworks - NIST, ISO frameworks - Software process/capabilities maturity modeling - SEI SW-CMM - Software Assurance Maturity Model - OWASP SAMM - Certification 驗證 - 如規格、如要求 - 技術上的安全 - **Accreditation** 認證 - 取得管理層的認可核准(owner)與權限 → 對事情有最終決策權限負最終責任 -＞你已經是管理層，為什麼還要認可？→ 可接受的營運風險 - 可接受的營運風險 SOC是簽證風險管理框架 → 營運面向軟體開發框架 → 軟體開發面向安全開發框架 → 安全開發面向 #### Maturity Model for Software Development - Formalized ways to measure or assess the reliability, repeatability, and quality of business processes - Lessons learned - Uses: - Understand current processes - Assess improvement opportunities - Set targets - Management #### Software Capability Maturity Model (CMMI) 軟體能力成熟度整合模式 ![image](https://hackmd.io/_uploads/S1HtbarXyg.png) #### Software Assurance Throughout the Life Cycle - Software assurance policies establish and manage development/acquisition of software, use, and support. - Security policies establish risk mitigation controls. - Assessment must be undertaken during every phase. - Analysis and feedback are crucial to users, developers, and managers. #### Software Assurance and Security Assessment ![image](https://hackmd.io/_uploads/B1I5W6B7Je.png) #### Security for Third-Party Software - Most software is not developed in-house - Third-party IDEs, libraries,… - Purchase or lease rights to Commercial off the shelf (COTS) - Users do not have the resources to influence developers - Contract with third parties who will: - Develop new software for organization’s exclusive use - Tailor/customize commercial products specifically for the organization - How do you establish trust and confidence? HBOM → 硬體物料清單 #### Software Assurance During Acquisition: A Phased Approach 1. Planning 2. Contracting 3. Monitoring, Acceptance, and Deployment 4. Ongoing Use and Support [case-study] #### Open-Source Software and Security Assessment - Open-source code is available to anyone. - Developers disagree on whether this makes it more secure. - Follow the same secure software development policy. - Source code analysis 組織內部怎麼檢測，他就怎麼檢測 #### Orphaned Software and Systems Security Assessment - These are system elements no longer supported by original - Transition plan - Security assessment can still be worthwhile - Consider “virtual patch“ 理論上他應該要被換掉，實際上有沒辦法換掉的理由 #### Mergers and Acquisitions: Special Issues - New owners of a merged organization inherit good and bad assets of the organization - Differences in decision-making, record-keeping, and documentation - Possible lack of documentation of previous data breaches, systems intrusions, malware #### Runtime Security - Hardware and software that load programs into memory for execution - Runtime environment must include components required for security to be handled properly - Controls use of privilege, access to system services and resources - Logging about this execution - Protects other programs/resources → 加入EDR、EDA 這種機制進去 #### Control and Separation of Environments - 把開發跟生產環境切開 - Development environment #### Secure Software and Systems Needs for Configuration Management - Quality assurance environment - Production environment - Establish the software baseline configuration - Change control prevents unauthorized changes - Auditing and logging of changes - More on domain 7 - CM(Ops) vs SCM(Dev) version control - SCM → 版控 - CM : #### Web Application Environment - Most attacks are conducted at the application level. - Websites, web apps depend on mobile code of many forms. - Almost all mobile code is human-readable and easy to reverse engineer. #### Web Application Vulnerabilities and Threats - Vulnerabilities - Design and coding mistakes - Technical reconnaissance - Threats: - DoS and DDoS - MITM - Treating website as collection of threat crossing points #### Web Application Protection - Strategies - Strengthening access control - Hardening server operation systems - Security-focused configuration management of servers, systems, apps - Disabling unnecessary documentation and libraries - Extending web and network vulnerability scans prior to deployment - Using IDS, IPS, and firewalls - Monitoring, auditing, inspecting, and conducting security assessments - Controls - Do: - Confirm encryption meets industry standards - Monitor code vendors for patches and alerts - Log all critical transactions and milestones - Handle exceptions properly - Do not: - Cache secure pages - Trust any data from the client - Automatically trust data - W/A vs WS ![image](https://hackmd.io/_uploads/SkqyMTHQke.png) #### Representational State Transfer (REST) Security - Software architectural style for distributed hypermedia. - Inspired by WWW - Mostly use HTTP protocol to implement - Rest/Restful API #### Application Programming Interfaces (APIs) - API security issues include the following: - Authentication - Authorizations: OAuth - Encryption - Preventing unauthorized data entry / modification - Accountability and Auditing - Availability of current data - Rate limiting Example. API Authorization issue #### Open Web Application Security Project (OWASP) Framework - Community-led open-source projects in all aspects of web and software security - Projects and related resources - Top ten web application security risks - OWASP Mobile Top 10 - OWASP API Security Top 10 - Web Security Testing Guide - Offensive Web Testing Framework - Mobile Security Testing Guide - Cheat Sheet Series - Security Knowledge Framework - Zed Attack Proxy - AMASS #### Database Management System (DBMS) Architecture ![image](https://hackmd.io/_uploads/ryJGMpB7ke.png) #### Structured Query Language (SQL) - Main concepts: - Schemas - Tables - View - Languages - DML - DDL - DCL - Security control aspects #### Markup Languages and Databases - Express data formatting and arrangement - Examples - HTML XML #### Structured Query Language (SQL) - Used to write statement(”queries”) that: - DML: Create, read, update, and delete(CRUD) rows in tables - DDL (only DBA) - Create database schema (structure) by defining tables, attributes - Define relationships, indexes, and keys - DCL (only DBA): GRANT, DENY, REVOKE - Queries - User-entered, stored(view), or via applications interfaces (APIs) #### Connection Apps to Databases - Open Database Connectivity (ODBC) - Java Database Connectivity (JDBC) - Extensible Markup Language (XML) - Object Linking and Embedding Database (OLE DB) - ActiveX Data Objects (ADO) ![image](https://hackmd.io/_uploads/Sy9XM6rmJe.png) #### Database Models - Establish the logical structure of data elements and framework for organizing the data - DBMS implements the model and provides: - Transaction persistence - Fault tolerance and recovery - Sharing by multiple users - Security controls - Common types: - Hierarchical, network, graph, relational, object-oriented #### Achieving Data Integrity in Different Database - Data integrity and consistency must be preserved. - Must address: - Near-simultaneous transaction submissions by multiple users - System or data problems in completing transactions - If any step fails, whole sequence must be undone. #### ACID - RDBMS Transaction Properties - DBMS must guarantee data validity ever errors happen - Atomicity: sequences of steps that must all be performed → 交易只有兩種狀態，不是成功就是失敗 - Consistency: integrity constraints → 交易前後狀態一致 - Isolation: lock → 避免race condition - Durability: transaction persistence → 資料一但寫入資料庫，就不會掉了 #### Integrity Constraints - Data integrity and consistency must be preserved at all times - Entity integrity - Primary key - Unique, non-nul - Referential integrity - Foreign key - Valid reference to a primary key - 參照的正確性 #### DB applications: OLTP and Data Warehouse - Online Transaction Processing (OLTP) 線上即時交易系統 - Facilitates / manages transaction-oriented applications - Two security concerns: - Atomicity - Avoid concurrency problems - Data Warehouse - Designed to help you analyze data(OLAP) 線上即時的數據分析 - Control, manage metadata, change, use ![image](https://hackmd.io/_uploads/BkzIM6B7Jg.png) #### Threats to Database and Data Warehouse Architecture - Query attacks (C) - **In **query attacks,** users try to use query tools to access data not normally allowed by the trusted front end, including the views controlled by the query application. Malformed queries using SQL in such a way as to bypass security controls may also be possible. There are many other examples of where improper or incomplete checks on queries can be used in a similar way to bypass access controls. - Bypass attacks (C) ↔ Alternative, but not quite equivalent, query paths (C) - Users may attempt to bypass controls at the front end of the database application to access information. These controls are normally implemented by the database management system (DBMS) and its query engine. However, attackers may be able to find ways around these without going through the query engine interface or its command line interpreter (CLI); this is therefore known as a bypass attack. - Interception of data (C) - If remote access is allowed to access database environments, the session may be open to interception and modification of the data in transit. - Data contamination (I) - Attackers can attempt to use malformed inputs at the field, record, transaction, or file level to disrupt the proper functioning of the system. (This can occur in any environment and is not just a problem in database architectures, of course.) - Denial of Service (Dos) (A) - **These are attacks or actions that could prevent authorized users from gaining access to the information or prevent a process or system from doing its duty. Often this can happen through a poorly designed application or query that locks up databases tables and requires intensive processing, such as a table scan where every row in the table must be examined to return the requested data to the calling application.** - Unauthorized access (C) - Allowing the release of information either intentionally or accidentally to unauthorized users. Examples may include error messages or system prompts that provide the unauthorized user with information about the nature or function of the system. - Compromising database views used for access control (C) - A database view restricts the data a user can see or request from a database. One of the threats is that users may try to access restricted views or modify an existing view with certain capabilities they may have. Another problem with view-based access control is the difficulty in verifying how the software performs the view processing. Because all objects must have a security label identifying the sensitivity of the information in the database, the software used to classify the information must also have a mechanism to verify the sensitivity of the information. Combining this with a query language adds even more complexity and possible security problems. Also, a database view typically just limits the data the user sees, it does not limit the operations that may be performed on the views. - Alternative, but not quite equivalent, query paths (C) - An additional problem is that the layered model frequently used in database interface design may provide multiple alternative routes to the same data, not all of which may be adequately protected. A given user may be able to access information through the view provided, through a direct query to the database itself or even via direct system access to the underlying data files. Because of this, any standard views set up for security controls must be carefully prepared in terms of the granularity of the control. Views can be very granular and able to restrict access to information down to a field and even to a specific content-based restriction level. Modifications to these regulations can significantly change the degree of possible access material provided through the view. - Aggregation and inference(C) - The ability to combine nonsensitive data from separate sources to create sensitive information is referred to as aggregation. For example, a user takes two or more unclassified pieces of data and combines them to form a classified piece of data that then becomes unauthorized for that user. The combined data sensitivity can be greater than the classification of individual parts. Being able to aggregate information may lead to inference possibilities. Inference is the ability to deduce more sensitive information than you should be allowed. - TOCTOU(I) - Attacks can also occur in database environments. An example is when some type of malicious code or privileged access could change data between the time that a user’s query was approved and the actual time the data is displayed to the user. - Deadlocking(A) - Deadlocks occur when two more processes each hold some elements of a set of resources that the other needs to complete its own processing. In a database environment, deadlocking occurs when two concurrent processes have locks on separate objects and each process is trying to gain a lock on the object that the other process has already locked. People often refer to this condition as a “deadly embrace.” When deadlocks are detected during operations, the system (or its administrators) may end the deadlock by automatically choosing and aborting one of the concurrent processes, thus allowing the other process to continue. Recognizing the situation, however, may not be that easy. But if it is recognized, at this point, the aborted transaction needs to be rolled back and an error message is sent to the user of the aborted process. Typically, the transaction that requires the least amount of overhead to roll back is the transaction that should be chosen to be aborted. - Physical or direct logical access to the server(C) - These attacks could lead to the disabling or changing of logical and technical controls. - Web-based attacks(CIA) - Many database environments allow access to data through web technologies. Static web pages (HTML or XML files) are methods of displaying data stored on a server to the user’s browser. One method is when an application queries information from the database and the HTML page displays the data. Another is through dynamic web pages that are stored on the web server with a template for the query and HTML display code, but no actual data is stored. When the web page is accessed, the query is dynamically created and executed, and the results are displayed via the HTML display. If the source for the page is viewed, all information, including sensitive data, may be visible at this point. Providing security control includes measures for protecting against unauthorized access during the login process, protecting the information while it is transferred from the server to the web server and protecting the information from being stored on or downloaded to the user’s browser. 看這些攻擊從CIA的角度下去看，就會知道怎麼防護 #### Database Management System (DBMS) Controls - System level - Control access to the DBMS or data warehouse - Within DBMS - Use IAM to define privilege relationships to objects - Database/data set level - Support data cleansing, validation, constraint checks during load, creation, update - Record (or object) level - Locks - Atomicity, Consistency, Isolation, Durability #### Malicious Software (Malware) 惡意程式 1. 感染方式 2. 散播方式 3. 行為 - Viruses - Worms - Trojans - Botnets - Distributed Denial of Service - Ransomware - Spyware and adware - Hoaxes - Pranks - Logic Bombs - Social engineering