Sunday, August 30, 2020

Secure Software Development Architecture


 

Innovative Solutions for Enterprise Software Development

Licensed to Jack Harris by CC

 

 

Secure Software Development and Future Risk: Strategic View

The complexity of information systems and the sophistication of cyber adversaries has created the need for cost-effective solutions to secure the organization’s digital assets (Harris, 2020).  A somewhat simplistic statement might be “if the mitigation of risk costs more than the potential loss, it is not a solution” (Stewart et al., 2013).  Before accepting a “do nothing” approach to a given risk factor, organizations must take a critical look at the cost-effectiveness and efficacy of their secure software development strategy. 

Architecture Planning

Software is developed to support specific business needs.  The balance between innovation, security, and functionality as well as the organization’s strategic objectives cannot be understated.  There are five key characteristics that must be considered:

·        Scalability

·        Security

·        Interconnectivity

·        Performance

·        Cost

In large organizations, digital assets consist of a wide array of software and physical systems that most often include cloud-based services, hybrid infrastructure, and both internal and external software (Span et al., 2018).  Innovative processes and systems have added complexity to information security.  When you add factors such as the velocity, volume, and variety of data, it becomes apparent that organizations must change the culture and focus of the organization to ensure security is a priority.  The mission of secure software development is to develop quality software in a secure, expedient, interoperable, and cost-effective manner.

Security + Development + Operation = DevSecOps

If your organization has embraced DevOps, transitioning to DevSecOps will be a cultural shift, but the benefits are worth the effort (Jeganathan, 2019).  In DevOps, the goal is to deliver the product in a continuous integration (CI) and continuous delivery (CD) manner.  Security can hinder the success of the CI/CD model if security not well integrated with DevOps.  The goal of DevSecOps is to deliver secure software at the speeds enjoyed by DevOps. Figure 1 is a conceptual model of DevSecOps.


Figure 1: DevSecOps Conceptual Model

OWASP Top Ten, SANS 25, and Threat Intelligence

Secure software development practices increase project costs and require more resources, but it can be a lot less expensive than a data breach (Harris, 2020).  Strategies for proactive security include threat assessments, baked-in security, and repetitive testing.  CxSAST is a tool that scans for all OWASP Top 10 and SANS 25 vulnerabilities (SAMATE, 2016).  Also, CxSAST checks for compliance with government regulations and industry standards such as the Health Insurance Portability and Accountability Act (HIPAA), the Motor Industry Software Reliability Association (MISRA), and the Payment Card Industry Data Security Standard (PCI-DSS).  The scans include customizable queries, and the software has a low false-positive rate.  Before placing applications into production, the applications are deployed to a staging platform for final vulnerability scans.

If the threat landscape never changed, a risk assessment would be a static process.  In addition to known cyber threats, new vulnerabilities are discovered on nearly a daily basis (Hazeyama et al., 2019; Sipper, 2020).  The reactionary approach creates a conundrum and is lacking the robustness needed for digital asset protection.  Limited information technology (IT) budgets, unknown vulnerabilities, and increasing complex attack surfaces restrict the addition of innovative processes to protect data and reduce risk (Last, 2015).  Threat intelligence plays a vital role in preventing unauthorized access (Harris, 2020).  Cyber intelligence analysts perform the role of identification of potential threats and risk exposure.  As an organization grows or the industry changes, the organization may receive unwanted attention from threat actors.  Threat intelligence includes technical research to watch trends, monitoring malware repositories on the dark web/deep web, and analysis to be able to predict future activities.  Unfortunately, advanced cyber threat intelligence activities are expensive, and many organizations do not have adequate budgets for implementing cyber threat intelligence.  Given the cost associated with threat intelligence, many organizations are outsourcing threat intelligence activities to third-party vendors.  These services typically offer data feeds and Application Programming Interfaces (APIs) and can reduce the cost of threat intelligence considerably.

 

 

References

 

Harris, J. (2020). Proactive defense against future threats. Northcentral University.

Hazeyama, A., Miyahara, H., Tanaka, T., Washizaki, H., Kaiya, H., Okubo, T., & Yoshioka, N. (2019). A system for seamless support from security requirements analysis to security design using a software security knowledge base. 2019 IEEE 27th International Requirements Engineering Conference Workshops (REW), 134–140. https://doi.org/10.1109/REW.2019.00029

Jeganathan, S. (2019). DevSecOps- a systemic approach for secure software development. ISSA Journal, 17(11), 20–27.

Last, D. (2015). Using historical software vulnerability data to forecast future vulnerabilities. 2015 Resilience Week (RWS), 1–7. https://doi.org/10.1109/RWEEK.2015.7287429

SAMATE. (2016). Source Code Security Analyzers—SAMATE. https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html

Sipper, J. A. (2020). Cyber threat intelligence and the cyber meta-reality and cyber microbiome. 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), 1–5. https://doi.org/10.1109/CyberSecurity49315.2020.9138858

Span, M. T., Mailloux, L. O., R. Grimaila, M., & Young, W. B. (2018). A systems security approach for requirements analysis of complex cyber-physical systems. 2018 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), 1–8. https://doi.org/10.1109/CyberSecPODS.2018.8560682

Stewart, J. M., Chapple, M., & Gibson, D. (2013). CISSP Study Guide (7th ed.). John Wiley and Sons, Inc.



Sunday, September 30, 2018

Risk Management Framework for Cloud Computing Security

Risk Management Framework for Cloud Computing Security



Enterprise risk management (ERM), in general, applies to every aspect of the enterprise, regardless of size.  Risks can be categorized as preventable, strategic, and external (Kaplan & Mikes, 2012) and must be identified, assessed, and managed.  Preventable risks are internal, and every effort should be applied to eliminate or minimize the impact.  Some examples of internal risks are operational, legal, and ethics, and can be monitored and controlled through rules-based policies. Strategic risk is not necessarily a negative thing.  Some examples are strategies to maximize profits through the use of disruptive technology, investing in high-risk ventures, and diversification of product offerings. External risks are those that are unpreventable and beyond the company’s control.  Events that fall into this category are natural disasters, cyber attacks, and economic changes. 

“He who is not courageous enough to take risks will accomplish nothing in life.”
-          Muhammad Ali

In the context of this blog, the five main types of risk are; strategic, operational, financial,  compliance, and reputational.  While the ultimate goal of risk management is to create and protect value, strategic risk management (SRM) is more focused on shareholder value (Frigo & Anderson, 2011).  The process of strategic risk management is not much different from enterprise risk management in that the primary goal is to identify, assess, and prioritize risks to achieving company goals and strategic objectives.

Operational risk management (ORM) is the oversight of risks from failed processes, inadequate systems, human resource factors, and external events and cannot be completely eliminated.  The outcome of disruption in operations can have both financial and reputation consequences (Naude & Chiweshe, 2017).   Failures in operational processes can have an impact on the financial health of the firm. 

Financial risk can influence a company’s value in multiple ways (Bartram, 2002).  Market conditions, the financial health of customers, the capital structure of the organization, and cash flow volatility, all affect a firm’s value.  A complete valuation of financial risk would have to include operational risk, credit risk, and business risk.  Management of all other types of risk affects the financial health of the firm. Hedging the financial risk associated with other risk types can be difficult and takes careful planning (Christoffersen, 2003)

The failure to comply with the rapidly changing compliance landscape can undermine the financial well being of the firm, destroy public confidence in the company, and put the company’s leadership in legal jeopardy.  A thorough compliance risk management system can add value to the company’s risk management strategy by identifying and tracking regulatory requirements on a local, state, national and international basis.

Risk of loss due to damages to a company’s reputation is a reputational risk.  Consequences of an adverse event can include lost revenue, destruction of shareholder value, increased costs of capital, and increased costs of operations.  Managing reputational risk will help keep the company out of the court of law and the court of public opinion (Kossovsky, 2014).

Web Server Functionality

On a high level, there are four basic functions of a web server.  These basic public-facing functions are; hypertext transfer protocol (HTTP), file transfer protocol (FTP), email server, and database server.  The secure version of HTTP is HTTPS, and the secure version of FTP is SFTP.  All of these basic functions are to deliver content.  The term web server can pertain to both the hardware and software that provide the content. Web servers are the backbone of the Internet.  Without websites, the Internet explosion would not have happened.  Websites are easy to create, and whether a company runs their web servers on premise or use cloud-based web hosting, web server protocols have vulnerabilities.

There are several cyber attacks against a website that are popular with hackers.  One of the easiest is denial of service (DoS) and distributed denial of service (DDoS).  Every website has a uniform resource locator (URL) address that corresponds to an Internet Protocol (IP) address.  A DoS or DDoS attack can easily take a web server down and prevent legitimate traffic from getting through (Stewart, Mike, & Darril, 2013)

Closely related but acting at the application layer is HTTP DoS attack.  The hacker scans all the pages on a web server and makes a note of how much time it takes for the web server to respond to the request.  The hacker then selects the pages that require the most processing time and creates a script to send multiple HTTP requests to the server.  The web server becomes overwhelmed and eventually stops responding to request (CEH v10, 2018).

Cross-site scripting (XSS) is a common vulnerability, and yet it is one of the easiest to mitigate.  Caused by poor programming practices, XSS allows the hacker to inject client-side code, usually javascript, to exploit the browser session.  There is one basic rule to implement during HTML coding.  That rule is to deny all untrusted data except in allowed locations.  Javascript is easy to detect and should never be accepted from an untrusted source.

SQL injection is another popular website attack that is caused by poorly designed code.  Websites that use a backend SQL server are vulnerable to malicious SQL queries (CEH v10, 2018).  There are different classes of SQL injection attacks.  Most of these attacks can be mitigated by using middleware filters or code validation.

A man-in-the-middle attack refers to a hacker who is logically positioned between a client and a server.  In the middle of what is presumed to be a two-way communication, the hacker uses a store and forward process and can record sensitive data including logon credentials.  Man-in-the-middle attacks are difficult to detect because the communication traversing the network appears to be legitimate (Stewart et al., 2013).
  
 Attacks on web servers are one example of an IT security risk that should not be ignored.  In this last section of this article, an explanation of how COBIT 5 can be used as a framework for addressing web server security in the context of cloud-based services and Software as a Service (SaaS).  While not a direct fit for SaaS, COBIT 5 is easily adapted to cloud-based infrastructure and platforms.         
The prevalence of cloud-based computing (CC) has changed the level of complexity faced by information security professionals (Bounagui, Mezrioui, & Hafiddi, 2018).  Managing risk in the CC environment is more challenging than legacy, on-premise computing models.  The lack of control over software security, the inability to maintain complete control over personnel who have administrative authority over the server, and limited control over patching cycles are some of those challenges. 

There are three processes in COBIT 5 that address information security and will be the focus of this part of the article.  Those processes are APO13 (manage security), DSS04 (manage continuity) and DSS05 (manage security services) (COBIT 5, 2012)
The focus of information security is to maintain confidentiality, integrity, and availability (CIA) of data.  Developing and implementing an information security management system (ISMS) is the focus of APO13.  The purpose of the ISMS is to manage the resources, and the controls require to maintain CIA. 

DSS04, managing continuity, focuses on establishing control over the business, to be activated in a crisis, to maintain continuity of processes and maintain business as usual.  Maintaining CIA, whether in a crisis or not, is the focus of DSS05.  There are areas that COBIT 5 does not address.  It was never engineered to consider special security requirements and continuity concerns of a hybrid or public cloud structure.   Thought needs to be given to establishing a custom framework that will blend favorable nuances from both COBIT 5 and other frameworks.

References








Saturday, September 15, 2018

Email - a Review of Technology

Electronic mail (Email) as it is used today, offers simple and efficient communications.  With decades of modification, it is currently a large percentage of Internet use (Msongaleli & Kucuk, 2018).  Email is critical to any business and requires high security (Gupta, Pilli, Mishra, Pundir, & Joshi, 2014).  There are many closed mail systems, the two main enterprise level systems are IBM’s Lotus Notes / Domino and Microsoft’s Exchange.  These systems typically use proprietary protocols when sending and receiving email within the corporate environment. For communications outside the corporate system, and for email between other entities, three email protocol suites are used: Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP3), and Internet Message Access Protocol (IMAP) (Gupta et al., 2014)

There are significant security issues with Internet mail.  Internet mail is susceptible to malicious content, ranging from nuisance email (inappropriate images and offensive text) to email infected by malware (Gupta et al., 2014)

Example of server/client relationship

While there are some open SMTP relays in existence, most SMTP servers use the relay feature to route mail through trusted SMTP relay services or by direct connect to trusted SMTP servers.  When an individual sends a message, it is either through a client like Outlook or Lotus Notes, or through a web-based service like Gmail.  The message is formatted to be transmitted using SMTP (Msongaleli & Kucuk, 2018).  The sender's mail server, commonly call a mail transfer agent (MTA) looks up the recipient’s domain in a Domain Name Service (DNS) server to determine the destination server.  This location is noted in a mail exchanger (MX) record on the DNS server.  The message is passed to the receiving SMTP server through multiple hops and waits on the receiving SMTP server until retrieved by the recipient’s client.

 

Figure 1 Photo courtesy of Syed Zaidlrshad


Crimes Committed by Email
Crimes committed by email include propagating malware through email, spoofing email with the intent to cause harm, and email bombing. 

Crimes Supported by Email
Email fraud is a crime that can be supported by email messages.  Phishing is a crime supported by email until the criminals target data is acquired.  After acquiring the data, criminals then engage in cybercrime using the computer in many cases.  Phishing is a social technique that criminals use to trick recipients into divulging confidential information that can be used to gain access to systems.  Phishing also has been used to direct an unsuspecting user to a website where the criminal gathers personal information (Shaikh, Shabut, & Hossain, 2016).
Email Spoofing
Email spoofing is the act of falsifying the name and email address of the sender.  Email spoofing with the intent to harm is illegal.  Spoofing is as simple as owning an SMTP server.  There are also websites that provide spoofing mailboxes like https://www.mailinator.com.    
Common Email Headers
There are as many formats as there are email systems.  Click on a link below to investigate these common headers:

Formats can have different nuances as long as required elements are present.
Forensic Tools
There are many forensic tools available to investigate email.  The purpose of cyber forensic email analysis is to collect evidence.  The investigation includes both header and body and can be for many different purposes.  Click on a link below to learn more about available tools for email forensic investigations (Krishna Devendran, Shahriar, & Clincy, 2015):
1.   MailXaminer
2.   Aid4Mail

USA Cybercrime Email Laws
There is a lack of email specific federal law except for the CAN-SPAM act of 2003, Pub. L. No 108-187, 117 statutes 2688.  The act pertains to sending large quantities of email, and the law makes it a felony to access a computer without authorization to send a mass email, materially alter the sender address, or cause an aggregate loss of $5000 or more.  To review the law and other aspects of cybercrime click the link: 


Education
Education of users is an important tool in fighting email attacks.  Employee awareness training should include what to look for in a suspicious email, how to show details of sender addresses, and where to look on specific email clients that offer clues to what domains a link is pointed to.  Simulated phishing awareness programs are a tool for raising employee awareness and are comprised of email with a link that should raise suspicion and has an explanatory landing page that informs the employee that this could easily have been a malicious link.  More information is available at: 
Tools to Combat Malicious Email
Spam filters and sandboxes are two tools that can help information security professionals secure their assets.  Most enterprise-level email security platforms use comprehensive tools to analyze email and block spam and advanced threats with both cloud-based and in-house solutions.  FireEye, a Mandiant company, has been protecting large enterprises with their comprehensive solutions.  For more information, follow the link below:


Secure Software Development Architecture

  Innovative Solutions for Enterprise Software Development     Secure Software Development and Future Risk: Strategic View The complexity...