Security in System Development Module Code: CSM 202

2009 by Informatics Education Ltd A Member of Informatics Group Informatics Campus 12 Science Centre Road Singapore 609080

CSM 202 Security in System Development

Learning Guide (Draft)

First Printing October 2009

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the publisher. Every precaution has been taken by the publisher and author(s) in the preparation of this book. The publisher offers no warranties or representations, and does not accept any liabilities with respect to the use of any information or examples contained herein. All brand names and company names mentioned in this book are protected by their respective trademarks and are hereby acknowledged. The developer is wholly responsible for the contents, errors and omission.

Published by Informatics Education Ltd

ii | P a g e

Table of Contents
YOUR LECTURER ............................................................................................................... 5 UNIT SPECIFICATIONS....................................................................................................... 5 LESSON PLAN ................................................................................................................... 7 ASSESSMENT METHODS ................................................................................................. 10
ASSIGNMENT (COURSEWORK)......................................................................................................................... 10 TESTS................................................................................................................................................................ 11 EXAMINATIONS................................................................................................................................................ 11

MODULE OBJECTIVES ..................................................................................................... 13 UNIT 1: SECURITY RISK PROFILING ................................................................................ 14

INTRODUCTION..................................................................................................................................................... 14 TOPICS TO BE COVERED.......................................................................................................................................... 14 DISCUSSION QUESTIONS ........................................................................................................................................ 14

UNIT 2: SECURITY REQUIREMENT.................................................................................. 16

INTRODUCTION..................................................................................................................................................... 16 TOPICS TO BE COVERED.......................................................................................................................................... 16 DISCUSSION QUESTIONS ........................................................................................................................................ 16

UNIT 3: SECURE DESIGN ................................................................................................ 17

INTRODUCTION..................................................................................................................................................... 17 TOPICS TO BE COVERED.......................................................................................................................................... 17 DISCUSSION QUESTIONS ........................................................................................................................................ 17

UNIT 4: THREAT MODELING AND RISK RANKING ........................................................... 19

INTRODUCTION..................................................................................................................................................... 19 TOPICS TO BE COVERED.......................................................................................................................................... 19 DISCUSSION QUESTIONS ........................................................................................................................................ 19

UNIT 5: CODE REVIEW STRATEGIES ............................................................................... 21

INTRODUCTION..................................................................................................................................................... 21 TOPICS TO BE COVERED.......................................................................................................................................... 21 DISCUSSION QUESTIONS ........................................................................................................................................ 21

UNIT 6: SECURITY TESTING METHODOLOGY .................................................................. 22

INTRODUCTION..................................................................................................................................................... 22 TOPICS TO BE COVERED.......................................................................................................................................... 22 DISCUSSION QUESTIONS ........................................................................................................................................ 22

UNIT 7: SECURITY TESTING TOOLS AND TECHNIQUE ...................................................... 23

INTRODUCTION..................................................................................................................................................... 23 TOPICS TO BE COVERED.......................................................................................................................................... 23 DISCUSSION QUESTIONS ........................................................................................................................................ 23

iii | P a g e

UNIT 8: PENETRATION TESTING..................................................................................... 24

INTRODUCTION..................................................................................................................................................... 24 TOPICS TO BE COVERED.......................................................................................................................................... 24 DISCUSSION QUESTIONS ........................................................................................................................................ 24

UNIT 9: SECURE DEPLOYMENT ...................................................................................... 26

INTRODUCTION..................................................................................................................................................... 26 TOPICS TO BE COVERED.......................................................................................................................................... 26 DISCUSSION QUESTIONS ........................................................................................................................................ 26

Your Lecturer
Instructor Name and Contact Information: Name : Email Address : Home Phone Number : Office Telephone Number :

Unit Specifications
Unit Name Unit Type Unit Description

CSM 202: Security in System Development

Year 2 Core Pre-Requisite None This module focuses on application security, digital security and network security. It includes discussion of various methods a host could be compromised from flawed programs or network design in the context of today's business environment. At the completion of this module a student should be able to: 1. Develop understanding of security threats to IT infrastructure 2. Analyze different methods a host can be compromised

Learning Outcomes

Teaching Methods Main Text Additional Reading

Weekly lessons of 3 hours, over 12 weeks, inclusive of lectures, discussions and case reviews. Application Security in the ISO27001 Environment, Vinod Vasudevan, IT Governance Publishing Syngress, Infosecurity 2008, Threat Analysis, A One-Stop Reference Containing the Most Read Topics in the Infosecurity Library, Richard Ford. Auerbach Publications, Manage Software Testing, Peter Farrell-Vinay. John Wiley and Sons, Security Patterns, Integrating Security and System Engineeering, Markus Schumacher, Eduardo Fernandez-Buglioni, Duane Hybertson, Frank Buschmann, Peter Sommerlad, Threat Modeling by Frank Swiderski and Window Snyder www.foundstone.com www.sans.org www.ibm.com www.spidynamics.com www.microsoft.com www.sysinternals.com www.symantec.com

Useful Links

5|Page

Assessment

1. 2. 3. 4. 5.

2 Tests plus 1 Coursework (Test 1: 30%, Test 2: 30%, Coursework: 40%) OR 3 Tests (Test 1: 30%, Test 2: 30%, Test 3: 40%) OR Coursework 50%, Examination: 50%. OR Coursework 100% Exam Rubric may change from time to time and module to module. Double check with school.

6|Page

Lesson Plan
S/N 1. TOPICS Security Risk Profiling i. DESCRIPTION Define security risk profiling, where it takes place in the Software Development Life Cycle, and the outputs Understand the security risk profile and perform a security risk analysis. Analyze the results of the security risk profile and how it affects your organization. Define what security requirements are and how they differ from functional requirements. Describe the difference between user and abuse case. Perform a security requirements review. Explain how security awareness fits into and modifies the system design process. Explain how security awareness fits into and modifies the system design process. Describe the methodology to discover security vulnerabilities in the design stage. Describe the heuristic to rank known vulnerabilities and prioritize their handling. CHAPTER IN TEXT Security in the Software Development Life Cycle ACTIVITY Theory

ii.

iii.

2.

Security Requirement

i.

Secure Development Life Cycle

Theory

ii. iii.

3.

Secure Design

i.

Secure Development Life Cycle

Theory

ii.

4.

Threat Modeling and Risk Ranking

i.

Secure Development Life Cycle

Theory

ii.

7|Page

5.

Code review Strategies

i.

ii.

Describe approaches to code review for projects both large and small. Describe the leading automated tools used in the review.

Secure Development Life Cycle

Theory

6.

Security Testing Methodology

i.

ii.

Explain the difference between functional testing and security testing. Describe the stages involved in creating a security test plan.

Security in the Software Development Life Cycle

Theory

7.

Security Test Tools and Techniques

i. Describe several powerful tools for application testing. ii. Explain how the tools can be used efficiently to uncover common vulnerabilities. i. Describe the differences between security testing and functional or quality assurance (QA) testing, as well as demonstrate some techniques and heuristics. Recognize and use some of the tools that are commonly used for security and penetration testing. Describe the final stage of the software life cycle, deployment, and the need for a secure deployment. Describe one of the most influential events in Windows security

Security in the Software Development Life Cycle

Theory

8.

Penetration Testing

Secure Development Life Cycle

Theory

ii.

Secure Deployment

i.

Secure Development Life Cycle

Theory

ii.

8|Page

10.

Project

i.

Project

Project

Project Consultation

11.

Project

i.

Project

Project

Project Consultation

12.

Project

i. Project

Project

Project Submission and Presentation

9|Page

Assessment Methods
The assessment framework will in the form of continuous assessment and may be presented in one of the following format:
1. 2. 3. 4. 2 Tests plus 1 Coursework (Test 1: 30%, Test 2: 30%, Coursework: 40%) OR 3 Tests (Test 1: 30%, Test 2: 30%, Test 3: 40%) OR Coursework 50% and Exam 50% OR Coursework 100%

The assessment framework will vary from module to module and subject to changes from term to term. Refer to latest module specifications for recommended exam rubric.

ASSIGNMENT (COURSEWORK)
INSTRUCTIONS: 1. The assessment criteria are: (a) Substance (b) Originality of work (c) Presentation (d) Use of illustrations / examples, where appropriate 2. Independent research on the relevant topics is encouraged. 3. Special consideration would be given to students who demonstrate an in-depth analysis of the questions. 4. Candidates who simply regurgitate their answers from the course manual may risk failing the assignment. 5. Any similarities between individual assignments will result in a fail grade. 6. The assignment should be about 2,000 words (total). 7. Pages should be clearly numbered.

10 | P a g e

8. The format of the assignment should be as follows: (a) Front cover (i.e. title page), stating the: Module name and code Students full name and I/C number Class code Name of lecturer Submission date (b) Contents page (c) Main body of the assignment (d) References Example: Kotler, P. 1997 Marketing Management Analysis Planning, Implementation, and Control 9th edn. Prentice Hall International. 9. Retain a photocopy of your course assignment. 10. Complete your assignment and hand it in by: ________12th Week____________ 11. Late Assignment Policy: Assignments must be turned in on time for full consideration of a grade. 12. Academic Honesty and Professional Conduct: At Informatics academic honesty and integrity is expected. If a student uses the ideas or words of another without crediting the source, such as literary theft, this is considered plagiarism. Documented plagiarism will result in a minimum penalty of failure in the assignment, but can result in failure in the course and/or withdrawl from the program. Students are encouraged to make use of approved referencing system like Harvard Referencing system. 13. Feedback on Assignments: Your lecturer will provide you feedback on your assignments and grades.

TESTS
Tests are conducted during the duration of the module to provide an opportunity for the student to demonstrate an understanding of the subject and materials taught. Tests are typically held at the mid-term or end of term. The test could be conducted on-line or would be paper-based. Depending on the subject matter, the length of tests could vary range from 1 hour to 3 hours. Tests could be conducted in class or in a formal exam setting.

11 | P a g e

EXAMINATIONS

Examinations are conducted at the end of each term in an exam hall setting. The duration of examinations is normally 3 hours.

Check the exam timetable with the School. The exam rubric may change from time-to-time and from module and module. Double check final rubric with your School.

12 | P a g e

Module Objectives
By attending this module, student would be able to: 1. Identify security requirements.

2. Address security in the design of an application. 3. Implement treat modeling and risk ranking strategies. 4. Explain the difference between functional testing and security testing. 5. Describe the stages involved in creating a security test plan. 6. Perform proper code review. 7. Prevent application resource and information leaks. 8. Identify tools and techniques for secure deployment.

13 | P a g e

Unit 1:
Introduction

Security Risk Profiling

Threat is the frequency of potentially adverse events; vulnerability is the likelihood of success of a particular threat against an organization; cost is considered the total cost of the impact of a particular threat experienced by a vulnerable target.

Security risk profile is defined as an exercise to determine the risk rating associated with an application and its development. It takes place in the beginning of the Software Development Life Cycle (SDLC). As each stage is completed the output is geared toward both the project managers and security personnel. All these output specifies security tasks to be carries out during the SDLC.

In general how risky is this application?

Topics to be Covered
1. Define security risk profiling, where it takes place in the Software Development Life Cycle, and the outputs 2. Understand the security risk profile and perform a security risk analysis. 3. Analyze the results of the security risk profile and how it affects your organization.

Discussion Questions
1. What is security risk profiling? 2. Define a possible formulae for risk. 3. Create a measurement rating. 4. Create a security risk profile from multiple perspective.

14 | P a g e

5. Analyze the results from the security risk profile to understand the risk associated with the application.

15 | P a g e

Unit 2:
Introduction

Security Requirement

Determine application functionality. What is the application is supposed to do under proper circumstances? Operating conditions, logical constraints under which the application will operate. Functional requirements are protocols in request for comments (RFC). Figure out the what, who and under what conditions. The sum of factors is a use case. Everything is welldefined. Modeled after a user that is not intending harm. Threshold need not be appropriate. Balance access vs. security. There is a a trade-off because maximum security encumbers users.

Topics to be Covered
1. Define what security requirements are and how they differ from functional requirements. 2. Describe the difference between user and abuse case. 3. Perform a security requirements review.

Discussion Questions
1. What is functional requirements? 2. How do security requirements differ from functional requirements? 3. What is a use case? 4. Describe the difference between a use case and abuse case.

16 | P a g e

Unit 3:
Introduction

Secure Design

Secure design review is a complement to the traditional design process.

In the normal design, you have inputs, such as the Data Flow Diagram (DFD) and documents, which depict your system as it is broken down into its separate components, modules (usually done using the top-down methodology).

In secure design review, you revisit the very same documents, however, from a different perspective: assessing the system from a security standpoint and adding notes and observations to these very same documents.

Occasionally, you make an observation that might introduce a new component or even force a design change, which is why the secure design review is instrumental to use as early as possible in the process.

Map the flow of data to see where to corruption of code could flow. If a component is found that is indirectly affected by user input, mark it and directly focus on it.

Topics to be Covered
1. Explain how security awareness fits into and modifies the system design process. 2. Explain how security awareness fits into and modifies the system design process.

Discussion Questions
1. What is the purpose of asset classification? 2. Give some example of assets. 3. Describe the 3-tier web application.

17 | P a g e

4. List the common I/O channel used in a typical network application.

18 | P a g e

Unit 4:
Introduction

Threat Modeling and Risk Ranking

There are several attack and defense patterns. There is not 1 single best methodology. Use several in combination.

Attack trees are a concept applied from game theory. The idea is to simulate a game between the attacker and the system, where the attacker has a set goal, for example, illegal access, system compromise, and so on.

When an attack tree leaf ends with an attack, it means that the attacker has some technique that you cannot counter. This constitutes an open threat.

When using attack trees, work backward from assets. Consider how the attacker can get in and work recursively.

Topics to be Covered
1. Describe the methodology to discover security vulnerabilities in the design stage. 2. Describe the heuristic to rank known vulnerabilities and prioritize their handling.

Discussion Questions
1. Create an attack tree with obtaining user name/password to the system as a set goal. 2. Describe the STRIDE methodology used by Microsoft. 3. Describe the DREAD methodology used by Microsoft. 4. Describe the OCTAVE, developed and patented by Carnegie Mellon and adopted by DoD. 5. What is RASQ?

19 | P a g e

Unit 5:
Introduction

Code Review Strategies

The concept of code review and the motivation for performing a code review is a key step in the SDLC. A code review is most likely to find security bugs with considerable impact, for example, buffer overflow, integer overflows, and so on. Project source is caeefully scrutinized and looks for: Coding errors Dangerous API calls Implementation faults Design-level logic security problems Different approach exists for: Finding the obvious problems Taint checks API handling Danger zones Pair programming and review These approach include both manual and automated tools.

Topics to be Covered
1. Describe approaches to code review for projects both large and small. 2. Describe the leading automated tools used in the review.

Discussion Questions
1. How would approach toward finding problems? 2. Conduct a taint checks. 3. What is your approach toward API handling? 4. What is pair programming and review?

20 | P a g e

Unit 6:
Introduction

Security Testing Methodology

Security testing can be considered as an enhances of the traditional Quality Assurance (QA) testing.

It must be done to validates all previous stages of the SDLC: Design consistent and coherent Use cases properly implemented Threat models properly exercised Code converge and flow as expected.

Topics to be Covered
1. Explain the difference between functional testing and security testing. 2. Describe the stages involved in creating a security test plan.

Discussion Questions
1. How does security testing differ from QA? 2. Design a good security test plan. 3. What is a security unit test? 4. What is a regression testing?

21 | P a g e

Unit 7:
Introduction

Security Testing Tools and Technique

Security testing tools is to gain control over input to the application to avoid client side validation rules modify fields not normally accessible using client side tools analyze identifiers for predictable patterns scan for known server level vulnerabilities scan every field in an application for common vulnerabilities

These are some of the available security testing tools categories Http tools Browser plugins Proxies Low level packet-tools TCPDump/TCPReplay ITR Application security scanner

Topics to be Covered
1. Describe several powerful tools for application testing. 2. Explain how the tools can be used efficiently to uncover common vulnerabilities.

Discussion Questions
1. Perform a simple http testing. 2. Find more information on low-level tools which you can find on the Internet. 3. Identify some application security scanner. 4. Explain cross site scripting.

22 | P a g e

5. Explain SQL injection. 6. Perform a command injection.

23 | P a g e

Unit 8:
Introduction

Penetration Testing

Security testing is commonly referred to as penetration testing or pen-testing.

Three box types are defined in security/penetration testing: Black box penetration test refer to cases in which the tester knows little or nothing about the application. A local copy of the application may be available, but often the tests are conducted over network with a firewall (or an application-level firewall) present. If a local copy is available, the tester may choose to try disassembling of decompiling the application. Otherwise, the tester is usually restricted to trying various input permutations. Gray box scenarios are those in which the tester knows some of the application structure, including external API and internal function calls. Some DLLs and function may be present in binary, header, (.h) (commonly found in C language) form, or both. This simplifies the task of permuting random inputs. Disassemblers, which were somewhat of an added bonus in the Black Box cases, are now an important tool. While white box tests are more rare, yet they are the most preferred of all test cases. Here, the tester has full knowledge of the application, even including the source code involved. The disassemblers are put aside, and instead, the tester can start and IDE to review and debug the code.

Topics to be Covered
1. Describe the differences between security testing and functional or quality assurance (QA) testing, as well as demonstrate some techniques and heuristics. 2. Recognize and use some of the tools that are commonly used for security and penetration testing.

24 | P a g e

Discussion Questions
1. State the purpose of security testing.

2. Try to perform a fuzzing. 3. Try to perform a call tracing. 4. Identify hard coded string. 5. Try to do a code review; mapping API calls. 6. What is a taint check? 7. Identify some pen-test tools.

25 | P a g e

Unit 9:
Introduction

Secure Deployment

So far, you have learned how security is applied in every stage of the software development life cycle (SDLC) process, from design through the implementation. The last stage, however, is often overlooked.

Topics to be Covered
1. Describe the final stage of the software life cycle, deployment, and the need for a secure deployment. 2. Describe one of the most influential events in Windows security

Discussion Questions
1. How would you balance security vs. usability? 2. Oracle encourage the principles of least privilege. How does it deals with malware? 3. Explain the secure defaults principles. 4. How important are logging and management? 5. Study the Blaster (Windows) case study and report your findings.

26 | P a g e