Hello and welcome to Domain 8 of the CISSP certification course offered by Simplilearn. This lesson provides an introduction to Software Development Security. Let us explore the objectives of this lesson in the next screen.

After completing this domain, you will be able to: Recognize the importance of system environments and programming concepts Discuss Object-Oriented Programming Describe the System Life Cycle and Systems Development Explain Database and Data Warehousing Environments List The Ten Best Practices for Secure Software Development – (ISC)2

Nutri Worldwide Inc. developed a Vendor Management System for their vendor management process. One of the key features of the new software was the centralized bidding process for contracts. It was noticed that, regardless of the number of bidders, one vendor always managed to get the contract for the supply of bottles and cans for one of the processing units. It was later found out after a thorough investigation that this vendor managed to access the bidding data. During the programming and testing phase of the development of the software, secure programming practices were not implemented. The software underwent a lot of rework and redevelopment before it was released again. Kevin, who is preparing for his CISSP exam, read this internal case study to understand the Importance of Software Development Security.

System environments can be defined as a combination of different independent components like servers, application networks, and their inter-relationships. System environments can be defined as a combination of different independent components like servers, application networks, and their inter-relationships. The Information systems are becoming more distributed, with a substantial increase in open protocols, interfaces, source code, and sharing of resources. This requires that all resources are to be protected against unauthorized access. Countermeasures and safeguards are provided through software controls, especially operating system mechanisms. Moreover, with the increased use of web based applications working on distributed systems, internet provides a challenge in terms of security due to the complexity of the information flow. A lack of software protection mechanisms can leave the operating system and critical computer resources open to corruption and attack. The various system environments are described here and they are: Distributed Environment; Client—Server Systems; Local Environment; Distributed Data Processing (DDP); Agents; and Applets.

Distributed Environment is a systems architecture that integrates the management of application software, application platform, technology interface, information, and communications.

Client—Server Systems enable an application system to be divided across multiple platforms that have different operating systems and hardware. The client requests services and the server fulfills these requests. The server handles the data-processing services and provides the processed result to the client. The client performs the front-end portion of an application, and the server performs the back-end portion, which is usually more labor intensive. In a Local Environment applications are located in one place and on one system and communication links do not exist.

Distributed Data Processing or DDP (read as D-D-P) are physically separated computers; they are used to manage data independently and are able to share it with one another. Agents are small standalone programs that are part of a larger application. Agents carry out specific functions, such as remote status collection or remote system management. Agents generally run autonomously and without any human interaction. Some examples of agents include: Anti-virus program on a workstation or server as an agent in an enterprise environment includes a central management console. Patch management is an agent on each server periodically queries the OS on the existence of software patches, and will install patches when commanded to do so.

Applets are small programs residing on a host computer that are downloaded to a client computer to be executed, usually written in Java, Active-X, JavaScript. It is a software program that runs within the context of another program. Java is an object-oriented, distributed, general-purpose programming language, developed by SUN. Java has some of the characteristics of both compiled and interpreted languages. The Microsoft ActiveX environment also supports the downloading of mobile code (ActiveX controls) written in languages such as Visual BASIC or C++ to Web browsers, and thus has the potential for causing harm to a system.

In this screen, we will discuss programming concepts in detail. Programming language usually refers to high-level languages, like, C, FORTRAN, and Pascal. The common types of programming languages are as follows. Machine language or Machine code is a software program that is executed directly by the CPU. Machine language is CPU-dependent; it is a series of ones and zeroes which translate to instructions that the CPU understands. Assembly language is a low-level computer programming language. The instructions are written in short mnemonics, such as ADD for addition, SUB for subtract, and JMP for jump, that match machine language instructions. An assembler converts assembly language into machine language. A disassembler converts machine language into assembly. In high-level language, programmers write the code using logical words and symbols. The code is then translated into machine code before executed by the CPU. High-level languages contain English-like instructions such as printf for print formatted. Source code is computer programming language instructions written in text that must be translated into machine code before execution by the CPU. We will discuss the differences between a compiler and an interpreter in the next screen.

Compilers take source code, such as C or Basic, and compile it into machine code. A compiled program is compiled only once. Interpreted languages differ from compiled languages. An Interpreted code (e.g., shell code) is compiled each time the program is run. If an interpreted program is run 100 times, it will be compiled 100 times. An interpreter translates high-level instructions into an intermediate form, which it then executes. In contrast, a compiler translates high-level instructions directly into machine language. Compiled programs generally run faster than interpreted programs. The advantage of an interpreter, however, is that it does not need to go through the compilation stage during which machine instructions are generated. A compiler searches all the errors of a program and lists them together, whereas an interpreter checks the errors of a program statement by statement. In a complier, error correction can be time-consuming. It generates the error message only after scanning the whole program. Hence debugging is comparatively hard while in a translator, error correction is easier compared to compliers. It continues to translate the program until the first error is met, in which case it stops. Hence debugging is easy. Compliers are difficult to use, whereas interpreters are easier to use. Programming language like C, C++ uses compilers and Programming language like Python, Ruby use interpreters. We will look at Programming and Software in detail in the following screen.

Publicly released software may come in different forms after programming. For example, the software may come with or without the accompanying source code. It is released under a variety of licenses. Open-source software publishes source code publicly, allowing anyone to inspect, modify, or compile it. Examples include Ubuntu Linux and the Apache web server. Closed-source software is typically released in executable form: The source code is kept confidential. Examples include Oracle and Microsoft Windows 7. Proprietary software is subject to intellectual property protections such as patents or copyrights. It can be either Open-source or Close-source software. For example, Apple iOS Shareware is a fully functional proprietary software that may be initially used free of charge. If the user continues to use it for a period of time specified by the license (such as 30 days), the Shareware license requires payment. For example, trial version of MSOffice (read as M-S-Office). Crippleware is partially functioning proprietary software, often with key features disabled. The user is required to make a payment to unlock the full functionality. Example includes IBM (read as I-B-M) Appscan. Free software can be either free of charge to use or the user is free to use the software in any way he or she chooses, including modifying it. Freeware is free of charge to use. For example, free mobile apps. In the next screen, we will discuss threats in the software environment.

A Buffer Overflow attack occurs when someone attempts to disrupt a program’s operation. In a buffer overflow attack, the excess input data overflows the program’s input buffer and overwrites another part of the program’s memory space. Depending upon the hardware and software architecture of the attacked program, this can lead to corruption of other variables in the program which could lead to an unexpected change in the program’s behavior, or the overflow could overwrite instructions in the software. Citizen Programmers are programmers who may create applications with both security and reliability problems. If this type of unsupervised programming is allowed, then a single user may have complete control over an application or process. Visual Basic, included in the Microsoft Office suite, is often used by citizen programmers to develop their applications or extend existing ones. They are also known as casual programmers, who are unlikely to be trained in, or bound by system development practices that involve proper application design, change control, and support for the application. Therefore, applications developed by them are likely to be chaotic and lacks assurance in regard to security. It should be addressed as a matter of policy.

A covert channel or confinement problem is an information flow issue. It is a communication channel that allows two cooperating processes to transfer information in such a way that it violates the system’s security policy. This is primarily a concern in systems containing highly sensitive information. There are two commonly defined types of covert channels: storage and timing. A covert storage channel involves the direct or indirect reading of a storage location by two different processes. A memory location or sector on a disk that is shared by two subjects at different security levels are typical examples of covert storage. A covert timing channel involves the ability to influence the rate that some other process is able to acquire resources, such as the CPU, memory, or I/O devices. The variation in rate may be used to pass information to another by modulating its own use of system resources. Malicious software, also known as malicious code, is a class of software that comes in many forms and performs a variety of damaging actions. The purposes of malware include: Propagation. It is the ability of the malware program to spread from system to system. Damage and destruction of information. Malware can alter or delete files on target systems. Steal information. Malware can locate and steal valuable information such as e-mail addresses, user ids and passwords etc., and send the same information to the malware’s owner or operator. Usage monitoring. Malware can implant the means to record subsequent communications, keystrokes and mouse clicks, and send this data to the malware’s owner operator. Denial of Service. Malware can consume all available resources on a target system, rendering it essentially useless for its intended use. Remote control. Malware can implant a bot onto a target system that allows an attacker to remotely control the system.

Malformed Input Attack is where inputs are collected from the users and configured those inputs in unusual ways. There are various systems to detect and protect against such attacks. For example, an attack that redirected a Web browser to an alternate site might be caught by a firewall by detecting the Uniform Resource Locator (URL) of an inappropriate site. Memory or Object reuse Memory management involves sections of memory allocated to one process for a while, then de-allocated, then reallocated to another process. Because residual information may remain when a section of memory is reassigned to a new process after a previous process is finished with it, a security violation may occur. While memory locations are of primary concern in this regard, developers should also be careful with the reuse of other resources that can contain information, such as disk space. The paging or swap file on the disk is frequently left unprotected and may contain an enormous amount of sensitive information if care is not taken to prevent this occurrence.

Executable content or mobile code is software that is transmitted across a network from a remote source to a local system and is then executed on that local system. The code is transferred by user actions and, in some cases, without the explicit action of the user. The code can arrive to the local system as attachments to e-mail messages or through Web pages. The concepts of mobile code have been called many names: mobile agents, mobile code, downloadable code, executable content, active capsules, remote code, etc. A social engineering attack occurs on the personnel in an organization. Usually the purpose of a social engineering attack is to gain secrets from individuals that can later be used to gain unauthorized access to the organization’s systems. The social engineer uses a technique known as pretexting in an effort to pretend that they are someone else. Social engineers prey on this weakness in feigned calls for assistance.

Time of Check or Time of Use or TOC/TOU (read as T-O-C-T-O-U) attack occurs based on the time variations between the system security functions check on the variables contents and when the variables are actually used during operations. It is also knows as race condition. In this state, the program may behave inconsistently, with arbitrary and erroneous results. For instance, a connection between two machines may drop. If an attacker manages to attach to one of the ports used for this link before the failure is detected, the invader can hijack the session by pretending to be the trusted machine. Data Contamination means corruption of data integrity by input data errors. It can be a deliberate or accidental process or act that result in a change in the integrity of the original data.

The garbage collector attempts to reclaim garbage, or memory occupied by objects that are no longer in use by the program. Garbage collection is often portrayed as the opposite of manual memory management. The time when the garbage is actually collected can be unpredictable, resulting in stalls scattered throughout a session. A trapdoor or backdoor is a hidden mechanism that bypasses access control measures. It is an entry point into a program that is inserted in software by programmers during the program’s development. A programmer or someone who knows about the backdoor can exploit the trapdoor as a covert means of access after the program has been implemented in the system. An unauthorized user may also discover the entry point while trying to penetrate the system.

The IT Department of Nutri Worldwide Inc. is developing a financial application to cater the needs of their vendors and suppliers. The experienced development team worked diligently to meet the deadline of delivery. To save time they created a direct access to the application. Once the application was ready the security team tested the application’s ability to handle various threats like buffer overflows, garbage collection, covert channel, TOC/TOU, malformed input attack, memory reuse and data contamination. Tests were also performed on the application server to test its ability to handle virus attacks, and malicious applets. Users were also made aware of the social engineering attacks. Kevin volunteered to test the application as a part of his CISSP preparation. Kevin found out that one important threat was not identified by the application security testing team and informed Hilda Jacobs, General Manager, IT Security about it. Question: Which important threat was not identified by the application security testing team? Answer: The presence of backdoor was not identified.

The next topic is System Life Cycle and Systems Development. In this topic, we will, explain software capability maturity model (CMM) levels, discuss systems development life cycle (SDLC), define software testing, identify software testing methods, state software testing levels, describe application controls, list software development methods, define java security, and comprehend secure software development best practices. The Software Capability Maturity Model or CMM (read as C-M-M) is based on the premise that the quality of a software product is a direct function of the quality of its associated software development and maintenance processes. The Software CMM was first developed by the Software Engineering Institute or SEI (read as S-E-I) in 1986 (read as nineteen eighty six). The SEI defines five maturity levels that serve as a foundation for conducting continuous process improvement and as an ordinal scale for measuring the maturity of the organization involved in the software processes. The following are the five maturity levels: Level One: Initial – The software process is usually inconsistent and chaotic. Success depends on an individual’s effort, talent, and heroics. Level Two: Repeatable – The software process usually has a basic and reliable project management process. Project management practices are institutionalized. Level Three: Defined – The software process for management and engineering activities are defined. Technical practices are integrated with management practices. Level Four: Managed – Product and process improvement is the key focus. Product and process are quantitatively controlled. Level Five: Optimizing – The focus of this level is Continuous process improvement. Process improvement is institutionalized. An evolution of the CMM methodology has resulted in the development of the Capability Maturity Model Integration (CMMI) by the SEI. The CMMI integrates the best practices and knowledge from the disciplines of software engineering, acquisition, and systems engineering. It has replaced the Software CMM. Let’s proceed to the next topic, which is Systems Development Life Cycle (SDLC).

The Systems Development Life Cycle or SDLC (read as S-D-L-C), also called as Software Development Life Cycle, is a system development model used throughout the IT industry. The SDLC is a project management tool used to plan, execute, and control a software development project. The SDLC provides a framework for the phases of a software development project starting from defining the functional requirements to implementation. The security practitioner should ensure that security is considered during all phases of the system life cycle, and that security activities are accomplished during each phase. Let us look at the phases of the SDLC and the security controls that can be included in each of them. The first phase is to prepare a Security Plan. In this phase: •A Sensitivity Assessment of the system and the information to be processed is conducted. The second phase is Development or Acquisition. During this phase, the system is designed, purchased, programmed, and developed. This phase often consists of other defined cycles, such as the system development cycle or the acquisition cycle. The steps in this phase are: •Determine security requirements •Incorporate security requirements into specifications •Obtain the system and related security activities The next phase is Implementation, during which the system is tested and installed or fielded. Items to consider in this phase are: •install/switch on controls •security testing •certification and accreditation The fourth phase is Operation and Maintenance, in which the system performs its work. The system is usually being continuously modified by the addition of hardware and software, and by many other events. Broadly, the items to consider in this phase are: •security operations and administration •operational assurance •audits and monitoring •Change Management •Configuration Management Disposal is the last phase of the IT system life cycle and involves the disposal of information, hardware, and software. During this phase, secure information disposal and media sanitization are taken care of. Let us focus on the SDLC Operation and Maintenance phase in the next screen.

Operation and Maintenance is an important phase in the system lifecycle and includes the following activities: •Ensure operations continuity •Monitor system performance •Detect vulnerabilities •Manage and avoid problems in system •Secure recovery of systems •Periodic risk analysis •Follow Change Management procedures •Verify compliance The security practitioner must ensure that all these activities are carried out according to the organization’s documented procedures. Let us discuss the integrated product team in the next screen.

An Integrated Product Team or IPT (read as I-P-T) is a multi-disciplinary team that helps facilitate decision making by: •working together to build successful programs •identifying and resolving issues •making comprehensive and timely recommendations The team comprises members from the organization’s appropriate functional disciplines. An IPT is used for review and decision-making in complex programs and projects. It provides a forum for collaboration by involving all the stakeholders such as users, management, customers, contractors, and developers. Let us discuss DevOps in the following screen.

DevOps, derived from the terms “development” and “operations“, is a software development method that places importance on communication, collaboration, and integration between the organization’s software developers and IT staff. The interdependence of software development and IT Operations is addressed by DevOps, whose need is especially felt by organizations with very frequent releases. DevOps helps an organization to quickly produce software products and services and ensures Quality Assurance is adopted to improve Operations performance. In the next screen, we will discuss software testing methods.

The primary purpose of software testing is to detect and uncover the errors and bugs. It is an ongoing process, which helps to identify the correctness, completeness, and quality of a developed application. It is required to achieve maximum profit with good quality product, within the limitations of time and money. In software development life cycle the testing is important as it improves reliability, performance and other important factors as per the requirement specifications. Different tests needs to be performed in all the phases of SDLC. In the subsequent screen, we will look at software testing methods. The following are some of the methods used for software testing. Static testing is a form of software testing where the software isn’t used. It checks for the sanity of the code, algorithm, or document. It primarily checks the code or manually reviews the code or document to find errors. Code reviews, inspections and Software walkthroughs are also used. Dynamic testing or dynamic analysis is a term used in software engineering to describe the testing of the dynamic behavior of code. In dynamic testing the software must actually be compiled and run. It involves working with the software, giving input values and checking if the output matches the expected values etc., Unit tests, integration tests, system tests and acceptance tests utilize dynamic testing White-box testing also known as clear box testing, glass box testing, transparent box testing, and structural testing. It is a method of testing software that tests internal structures or workings of an application. In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. Black box testing also known as functional testing. A software testing technique whereby the internal workings of the item being tested are not known by the tester. For example, in a black box test on software design the tester only knows the inputs and the expected outcomes and not the actual output achieved. The tester does not ever examine the programming code and does not need any further knowledge of the program other than its specifications. Requirements traceability matrix or RTM can be used to map customer’s requirements to the software testing plan. It traces the requirements, and ensures that they are being met. Combinatorial software testing is a black-box testing method that seeks to identify and test all unique combinations of software inputs. An example of combinatorial software testing is pairwise testing (also called all pairs testing). Fuzzing is also known as fuzz testing. It is a type of black box testing that enters random, malformed data as inputs into software programs to determine if they will crash. A program that crashes when receiving malformed or unexpected input is likely to suffer from a boundary checking issue and may be vulnerable to a buffer overflow attack. Any program that crashes or hangs has failed the fuzz test. We will discuss Software testing levels in the next screen.

Software testing levels are as follows: Unit Testing is the low-level tests of software components, such as functions, procedures, or objects. Installation Testing is the testing of software as it is installed and first operated Integration Testing is done to test multiple software components as they are combined into a working system. Regression Testing tests software after updates, modifications, or patches. Acceptance Testing is performed to ensure the software meets the customer’s operational requirements; when this testing is done directly by the customer, it is called User Acceptance Testing We will cover application controls in the next screen.

The goal of application controls is to enforce the organization’s security policy and procedures and to maintain the confidentiality, integrity, and availability of the computer-based information. Application security involves the input to the system, the data being processed, and the output of the system. The controls can be classified into preventive, detective, and corrective measures that apply to different security categories. These controls and categories are listed in the Table. In the subsequent screen, we will look at software development methods in detail.

There are various methods used for software Development. Some of the popular methods are Waterfall Model; Spiral Model; Rapid Application Development; Extreme Programming; and Other Models. Click each tab to know more. The Waterfall Model is a linear application development model that uses rigid phases. When one phase ends, the next begins. Steps occur in sequence, and, if unmodified, the model does not allow developers to go back to previous steps. In 1976, Barry Boehm reinterpreted the waterfall model. The modified waterfall model allows a return to a previous phase for verification or validation, ideally confined to connecting steps. In this modified version of the Waterfall model, rework can be accomplished within a phase when the phase end review shows that it is required. Advantages of this method are that it is simple to implement being a linear model, the amount of resources required to implement this model are minimal. Disadvantage of this method is that one cannot go back a step or phase once it is finished, small changes or errors that arise in the completed software may cause a lot of problems.

In 1988, Barry Boehm developed the Spiral model, which is actually a meta-model that incorporates a number of software development models. This model depicts a spiral that incorporates the various phases of software development. The model states that each cycle of the spiral involves the same series of steps for each part of the project. The spiral model combines the idea of iterative development or prototyping with the systematic, controlled aspects of the waterfall model. It allows for incremental releases of the product, or incremental refinement through each time around the spiral. The spiral model also explicitly includes risk management within software development. Advantages of this method are repeated or continuous development helps in risk management, and the customer’s expertise on new system grows, enabling smooth development of the product, meeting client needs. Disadvantages of this method are that the model is best suitable for large projects, where the costs involved are higher and system pre requisites involves higher level of complexity. Evaluating the risks involved in the project can increase the cost and it may be higher than the cost of building the system

Rapid Application Development or RAD (read as one word RAD) is a form of rapid prototyping that requires strict time limits on each phase and relies on tools that enable quick development. In RAD software is developed via the use of prototypes, dummy Graphical User Interfaces or GUIs (read as G-U-Is), back-end databases, and more. The primary goal is to meet the system’s business need. Advantages of this method are: it promotes strong collaborative atmosphere and dynamic gathering of requirements. Business owner actively participates in prototyping, writing test cases and performing unit testing. Disadvantages of RAD are: it depends on strong cohesive teams and individual commitment to the project. Decision-making relies on the feat