CISSP Domain 8 Review – Software Development Security
This post serves as a review for the domain 8 of the CISSP. This domain covers the software development security.
Before we start, here is a list that will help you navigate through the different sections of this domain review.
- Software Development Lifecycle.
- Security Controls in Development Environments.
- Secure Coding Standards and Guidelines.
- The Effectiveness of Software Security.
Software Development Lifecycle
The first section of domain 8 of the CISSP covers the software development lifecycle. It includes the following subjects:
- Software development phases.
- Software development methodologies.
- Maturity models.
- Change management.
- Integrated teams.
Software development phases
There are 6 main phases during the software development lifecycle :
- Requirements definition
- Design specification
- Testing and validation
After development, and when talking about a system lifecycle, the following two phases are added after testing and validation:
- Operation and maintenance
Software development methodologies
There are multiple methodologies used for software development. I tried to list here the most common ones:
- The next phase starts after the previous one is done
- Inability to incorporate change.
- It goes through planning, risk analysis, engineering and evaluation in a repeated process.
- Good for risky and expensive projects.
- It aims to have no defect in the developed software.
- Not good when flexibility is required.
- Small manageable increments.
- It follows the principles of the Agile manifesto.
- Early and continuous delivery of valuable software.
- Welcome changing requirements, even late in development.
- Deliver working software frequently.
- Business people and developers must work together daily.
- Build projects around motivated individuals.
- The most efficient and effective method of conveying information is face-to-face conversation.
- Working software is the primary measure of progress.
- Agile processes promote sustainable development.
- Continuous attention to technical excellence and good design enhances agility.
- Maximizing the amount of work not done.
- The best architectures, requirements, and designs emerge from self-organizing teams.
- At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.
Maturity models are tools that help in improving processes. The most common one is the Capability Maturity Model (CMM).
CMM defines 5 maturity levels:
- Initial : Processes are ad-hoc and chaotic.
- Repeated : Processes are managed.
- Defined : Processes are understood and documented in procedures and standards.
- Quantitatively managed: Measured.
- Optimizing : Continuous process improvement.
Changes should never be made directly in production. Backups need to be made available in case a change is not successful. And always make sure to document every step of the change process.
The process is as follow :
- Request for Change
- Analyze the change (Feasibility, impact).
- Approve the change
- Implement and test the change
- Review the change
- Report to management.
People with different skills and from different environments can be combined to form an integrated team. Three examples of integrated teams are provided here:
- Integrated Product Team (IPT)
- A team with various skills that work together to deliver a product.
- Integrated Product and Process Development (IPPD)
- Concurrent development of products and processes.
- Integrates development, operations and quality assurance.
- Based on agile principles.
Security controls in development environments
This second section covers security controls in development environments. It includes the following subjects.
Databases and data warehouses
A database is based on four main components:
- Database engine.
- Hardware platform.
Databases are based on models, which define the way data should be represented in the database. The following are the most common database models:
- Hierarchical : The oldest.
- Network : Data is represented in the form of a network that includes nodes and arcs.
- Relational: The most common.
- Based on tables (Rows called tuples, and columns called attributes).
- Object-oriented : Data is stored as objects. Similar to OOP languages. A new model.
- Object-relational (Hybrid).
- NoSQL : Non Relational. Used when massive data is needed.
Database models should have the following requirements:
- Transaction persistence.
- Fault tolerance and recovery.
- Multiple users at the same time.
- Security controls.
Organizing data in a database
Database normalization is how a DBMS organizes data in order to reduce redundancy (Referenced, non-duplicative…). A database can be in one of the following four normal forms:
- First normal form
- Second normal form
- Third normal form
Integrity rules are important for a good dbms. For the CISSP, you should know two rules:
- Entity integrity : There should be unique, non-NULL values in the primary key.
- Referential integrity : For each referenced foreign key, a primary key should exist with that same value.
A database using SQL will contain the following three components:
SQL has three sublanguages:
- Data Definition Language (DDL) : For database administrators. Does not deal with the actual data stored in the database.
- Data Manipulation Language (DML) : It deals with data stored in the database. Used for inserting, deleting and reading records,
- Data Control Language (DCL) : It deals with the security part of the database.
Database transactions should be ACID compliant:
- Atomicity : All or nothing.
- Consistency : Respects the integrity constraints of the database.
- Isolation : Transactions should not interfere with each other.
- Durability, also called transaction persistence.
Database interface languages
Three known database interface languages are :
- ODBC: By Microsoft. For relational databases.
- OLE DB : Also by Microsoft, but this time for all models of databases.
- JDBC : By Oracle. For all models of databases.
For databases that need to be accessed from the Internet, it is good to have a three-tier model. This will separate the database from the user.
The three-tier model has the following three layers:
- Presentation layer.
- Business logic layer.
- Data layer.
Some concepts related to data warehouses that you should know about :
- Metadata : Data about data.
- OLAP (Online Analytical Processing) : For analyzing data warehouses.
- OLTP (Online Transaction Processing) : For allowing a high number of transactions at the same time.
- Knowledge Discovery in Databases (KDD) :
- Two approaches
- Two approaches
Databases have many vulnerabilities and are exposed to different threats. This is a list of some of these :
- SQL injection : Use prepared statement to help prevent it.
- Inference : The ability to deduce sensitive information from public data.
- Aggregation : The ability to deduce sensitive information from combining multiple pieces of non-sensitive data.
- Access control bypass at the front-end.
- Compromising view-based access control.
- Concurrency problems:
- Lost update.
- Dirty read (Temporary update).
- Incorrect summary.
- Deadlocking (Deadly embrace) : When two transactions are trying to execute at the same time, but both are denied.
- Solution : Using lock controls.
- DoS attacks (e.g. SQL Slammer).
- TOCTOU (Time Of Check Time Of Use).
The Open Web Application Security Project (OWASP) maintains many frameworks and guidelines, most of which are related to web application security :
- Development Guide.
- Testing Guide.
- Code Review Guide.
- Top Ten Web Application Security Vulnerabilities.
This is a list of the top ten web application vulnerabilities as defined by OWASP:
- Broken authentication.
- Sensitive data exposure.
- XML external entities (XXE).
- Broken access control.
- Security misconfiguration.
- Cross-site scripting (XSS).
- Insecure deserialization.
- Using components with known vulnerabilities.
- Insufficient logging and monitoring.
You should remember and understand each of these ten items as part of your preparation of the domain 8 of the CISSP.
There is a difference between a virus and a worm: A virus requires a human to propagate, and a worm can propagate by its own.
Here is a list of the most common types of malware :
- Remote Access Trojan (RAT)
- Logic Bomb.
- Macro virus.
- Companion Virus.
- Boot sector infectors.
- File infectors.
There are three ways to detect malware :
- Activity monitoring.
Security in code repositories
This is a list of some best practices for securing code repositories:
- Defense in depth.
- Physical and logical access controls
- Integrity checks.
- Protection of source code
- CVCS : Centalized Version Control System.
- DVCS : Distributed Version Control System.
- Sensitive code segregation.
Secure coding standards and guidelines
This third section covers secure coding standards and guidelines. It includes the following subjects.
There are 5 generations of programming languages:
- G1 : machine language (opcode).
- G2 : Assembly language.
- G3 : High-level languages (Java, C…)
- G4 : Very high-level languages, for specific programs (SQL, XML…)
- G5 : Require artificial intelligence.
Some concepts related to Object-Oriented Programming (OOP) :
- Data modeling : First step in OOP.
- Encapsulation : Data in an object is not accessible to the code. Also called data hiding.
- Inheritance : A class inherits the attributes and methods of its parent class.
- Polyinstantiation : A solution against inference. Multiple instances of an object can be created in different classification levels.
- Distributed object-oriented systems:
- JRMI (Not used as often as before).
- DCOM (Microsoft proprietary).
Here are some good practices for API security:
- Authentication for RESTful APIs:
- Basic with TLS : the lowest security. Basic authentication should never be used without TLS.
- OAuth 1.0a : The most secure, but complicated process.
- OAuth 2.0. : Same as OAuth 1.0a, but without signature. This makes it less complex.
- A risk assessment should be conducted for all APIs.
- Security testing of APIs using fuzz testing.
Security weaknesses at the code level
- Buffer overflow.
- Covert channel.
- Memory reuse.
The effectiveness of software security
This last section of domain 8 of the CISSP covers the effectiveness of software security. It includes the following subjects:
Certification and accreditation.
There is an important distinction between certification and accreditation :
- Certification : Developers certify that the software has passed all the tests and is operating as expected.
- Accreditation : The software is granted authorization to operate by management. Risk accepted.
Logging and auditing
Logging ensures accountability, non-repudiation and facilitates audits.
Some guidelines and best practices include NIST SP 800-92 and OWASP Logging Cheat Sheet.
Security of acquired software
Software acquisition follows the below process:
- Procurement and contracting
- Implementation and acceptance
A software assurance policy should be in place.
We have now gone through all items that are covered in the domain 8 of the CISSP. If you notice that there is some important concept that I have forgotten to mention in this review, please let me know in the comments below.