Application and System Security Development

There are many models to choose from when designing an application as well as a few international standards that one can use in the development software. Each one falls in and out of favor at sometime, and most firms use a combination of techniques when developing software. Moreover, cyber-security standard right now do not distinguish between system and software development life-cycles yet. But being a programming I do, and it’s a fact that all viruses and malware on the market today are written by programmers, not network administrators.

 

The best life-cycle one can use in software development is to put in a repeatable and predictable process in place – easy to follow for business people and programmers. A life-cycle model that includes security built in at every level and in every feature from the inside out, and if the system its running on gets corrupted - it reverts to a default safe operating mode.

 

The ISO/IEC 27034 is one of international standards that provides guidance to organizations looking to integrate security into their processes of application development.

CMMI Security Model

CAPABILITY MATURITY MODEL (CMMI) The (CMMI) model is a comprehensive integrated set of guidelines for developing products and software. It addresses the different phases of a software development life-cycle, including concept definition, requirements analysis, design, development, integration, installation, operations, and maintenance, and what should happen in each phase. It can be used to evaluate security engineering practices and identify ways to improve them. It can also be used by customers in the evaluation process of a software vendor.

 

Microsoft and other big software makers have implemented a standard way to develop applications and system software over the last couple of years. The overview of this process is graphed below.

Yes most built software of today is built around the Object Oriented Programming platform (OOP). But what type of object is it, and who has access to it? Moreover, what controls are embedded within that object to help it protect itself from outside attacks? The OOP is based around the four pillars of polymorphism, inheritance, encapsulation, and abstraction. So if one understands how these core mythologies works it would go a long way in his/her understanding of how to protect them better as it runs within their application or network environment.

 

Next look at each layer in your software product or service and decide how security can be implemented. The graphic below illustrates and looks at 8 security dimensions, and the end user security, control, and managed security. It was originally developed to help network operators understand what is needed to design, implement, and maintain a secure network. The framework is flexible enough so that it can be adapted to the ever-changing world of cyber-security and the coming regulations.

 

SECURITY LAYERS - The framework defines three security layers, which describe a hierarchy of network equipment and facility groupings. The infrastructure layer includes the basic building blocks used to create the network, services, and application systems.

 

• The services layer focuses on services that end users receive from networks.

• The applications layer consists of network-based applications accessed by end users.

After identifying and prioritizing the threats, it is necessary to select appropriate security controls for mitigation. The eight security dimensions represent classes of actions that can be taken, or technologies that can be deployed to counter the threats and potential attacks present at each security layer. Below are just some of the threats to look for in your design process.

 

APPLICATION DEVELOPMENT AND THREAT IDENTIFICATION

 

 

End User

Controls

Management

Identified Assets

Network Interfaces

User Authentication

Deep Screened Protocols

User Authentication

Traffic Passing Through

Reset Switch

Session Table

VLAN’s

Routing Protocol

Rules Update Traffic

State Information

Management GUI

Policies

Logs

Alarms

Configuration

Administrative Acct

 

Identified Vulnerabilities for the Session Table

 

Dimension

Vulnerabilities

Access Control

Unauthorized modification to the “sessions” can be made if a process person gains access to the firewall’s address space where the session table is stored. This can lead to possible root control of the server, and applications.

Authentication

“Any” process can modify the session table without any authentication

Non-repudiation

There is no definite record/proof of who made the changes to the sessions table and database.

Data Confidentiality

The contents of the session tale can be seen by an unauthorized entity

Communication Security

None, as the sessions table, which is difficult to detect

Data Integrity

Modification to sessions table, which is difficult to detect

Availability

Attacks like SYN flooding can quickly fill the session table, leaving no space for new sessions.

Privacy

Critical information about the sessions tables can be deduced by examining the sessions log.

 

 

In this web page I was only able to cover a small part at what goes into creating applications that are secure. No application is totally secure given the amount of bugs found in most software today. It is figure that for every thousand lines of codes there are around twenty major bugs or more. So nothing is perfect, the diagrams and lists can only give one ideas on what to look for in the design process.

Application and System Security Development Paper - Click to Download
App_Sys_Security_Dev.docx
Microsoft Word document [270.5 KB]

Lance West

 

DigiBrains@msn.com

 

 

  • Cyber-Security

 

  • Information Assurance training

 

  • IT Risk Analysis

 

  • BIA/BCP Development

 

  • Software Security

 

  • Databases
Print | Sitemap
© DigiBrains LLC