Domain 4: Secure Software Architecture and Design

Secure Software Architecture and Design Core Concepts

Some of the interfaces related to secure software development include:

  • User Interface (UI): According to the Clark and Wilson security model, an interface should exist between every subject and the object that they act upon. This enables the enforcement of access controls, supports abstractions, simplifies the creation of an audit trail, and can permit confidentiality protections such as masking sensitive data.

  • Application Programming Interface (API): APIs allow one program to access the functionality of another. APIs are ideal targets of automated attacks and must be properly secured as well as UIs.

  • Security Management Interface (SMI): SMIs are tools such as web portals that are used to configure a system (such as a router), including defining security settings. SMIs commonly provide very privileged functionality and are a common security weak link due to weak login credentials, privileged access, and a failure to implement security best practices such as data encryption, logging and monitoring, and allowing only local access.

  • Out-of-Band (OOB) Interface: An OOB interface permits the administration of a device that is idle or shut off. These interfaces are designed for remote access, making access control essential.

  • Log Interface: Logging is key to auditing, threat detection, and regulatory compliance. Central management of logs helps with scalability and effective monitoring.\

Digital Certificates

Digital certificates have several uses, including:

  • Personal Certificates: Uniquely identify a person for secure email or similar functions

  • Server Certificates: Prove the identity of a server and enable encryption for SSL/TLS traffic (such as HTTPS)

  • Extended Validation (EV) Certificates: Intended to provide extra validation that a domain is owned by a particular company. Largely deprecated because they are vulnerable to attackers who register companies with the same name in different jurisdictions.

  • Software Publisher Certificates: Used to digitally sign software to prove the authenticity and integrity of the code

The X.509 standard for digital certificates has four required fields:

  • Certificate: Includes version information, algorithm identifier, and serial number

  • Issuer: Specifies the certificate authority (CA) that issued the certificate

  • Validity Period: Defines the lifetime of the certificate

  • Subject: Specifies the name and public key of the certificate owner

The optional fields in an X.509 certificate include:

  • Unique Identifier: Defines issuer and subject

  • Extensions: Provides additional information

An X.509 certificate will also be digitally signed by its issuer.

Trusted Platform Modules

A trusted platform module (TPM) is a piece of hardware designed to be tamper-proof. It hosts encryption keys that are not accessible outside of it and acts as a secure root of trust for the system.

The trusted platform module (TPM) provides hardware protection for cryptographic keys on a system. Key elements include:

  • Cryptographic Processor: The cryptographic processor includes a random number generator, key generators, hash generators, and encryption and digital signature algorithms.

  • Versatile Memory: Versatile memory includes platform configuration registers, attestation identity keys, and storage keys.

  • Persistent Memory: Persistent memory includes the storage root key and endorsement key.

Public key databases and Graphics Processing Units (GPUs)are not part of a TPM.

The trusted computing base (TCB) describes the parts of a computer (hardware, firmware, and software) where security matters. Everything outside the TCB can misbehave without creating a security incident.

Databases are an example of structured data. The Extensible Markup Language (XML), JavaScript Object Notation (JSON), and similar formats are also structured.

Email, documents, and similar files are unstructured data. Unstructured data is more numerous but less searchable and manageable.

Control systems include programmable logic controllers (PLCs), remote terminal units (RTUs), and similar systems. They're often also called supervisory control and data acquisition (SCADA) systems.

Commonly used security architecture frameworks include SABSA, Open Group Library, and Open Security Architecture (OSA).

OWASP Security Design Principles are designed to help developers put security principles into action and is not a security architecture framework.

Secure Design Processes

The benefits of integrating security into the SDLC early include:

  • Cost Savings: Identifying vulnerabilities in the design phase of the SDLC is estimated to be 100x cheaper than identifying them in production.

  • Resiliency and Recoverability: Vulnerabilities identified in development are less likely to be exploited by an attacker, minimizing impacts to confidentiality, integrity, and availability.

  • Quality, Low-Error Software: Secure design involves considering what can go wrong with software and addressing those potential issues, which reduces the risk of both attack and errors.

  • Minimal Redesign: Software built based on best practices does not need to be redesigned after an attack and has a consistent design across similar components.

  • Reduced Business Logic Flaws: Business logic flaws are when software implemented as designed doesn't do what it is intended to do. Flaws related to security could allow authentication bypasses, such as an attacker guessing a user's security questions and successfully changing their password.

While integrating security early may reduce the size of code, this is not guaranteed.

Attack Surface Evaluation

Attack surface evaluation is intended to identify how a system can be attacked by a threat actor. Attack surfaces can be broken up into three dimensions:

  • Targets and Enablers: Targets are the goal of a particular attack, and enablers are resources that help an attacker reach those goals. These targets and enablers can be either processes or data.

  • Channels and Protocols: Channels are a medium for communicating under the rules of a particular protocol. Channels can either be message-passing or shared-memory.

  • Access Rights: Privileges associated with a target, enabler, or channel.

Malware comes in a variety of different forms, including the following:

  • Virus: A virus spreads using an infected program that runs on a compromised system.

  • Worm: Worms spread themselves without human interaction via means such as exploiting vulnerable applications and systems.

  • Spyware: Spyware is stealth malware designed to collect information about the user of an infected system.

  • Adware: Adware generates revenue for an attacker by displaying unwanted ads to a user.

  • Trojan Horse: Trojan horses infect systems by masquerading as a benign and desirable program that deploys malicious functionality when executed by a user.

  • Rootkit: Rootkits conceal themselves and other malicious programs (spyware, keyloggers, etc.) on an infected system. They can run either in kernel mode or user mode.

  • Ransomware: Ransomware encrypts or corrupts files on an infected computer and demands a ransom in exchange for restoring access to the user's data.

Software faces risk from various human threat sources, including:

  • Ignorant Users: Legitimate users may unintentionally expose sensitive data or cause other harm via negligence or user error.

  • Accidental Discoverer: A user who accidentally identifies a flaw in software that grants inappropriate access or permissions.

  • Curious Attacker: Someone who identifies an oddity in the functionality of software and investigates it further to see why it occurs and what it lets them do.

  • Script Kiddies: Unskilled but common attackers who use existing tools to attack organizations.

  • Insider: A malicious, trusted user who leverages legitimate access and privileges to cause harm to the organization.

  • Organized Cybercriminals: Professional threat actors who make money based on ransomware, data theft, and similar means

  • Third-Parties: Vendors, partners, and suppliers can pose risk to an organization. This includes the development of insecure or malicious code or access to corporate systems that is abused or inadequately protected.

  • Advanced Persistent Threat (APT): APTs are well-resourced cyber threat groups that have the ability to pose a persistent threat to an organization's security. They are often associated with organized crime or nation-state actors.

\

Characteristics of a Service-Oriented Architecture (SOA) include:

  • Abstracted Business Functionality: An SOA abstracts away the internal details of how a system works, providing logical views to the user.

  • Contract-Based Interfaces: All communications between a provider and a consumer use an interface with a set message format, eliminating the need to understand the details of how the other side works.

  • Platform Neutrality: All messages in SOA use a platform-neutral format, such as the Extensible Markup Language (XML).

  • Modularity and Reusability: Services are created as modules with a particular purpose, and these "building blocks" can be combined to implement a desired function.

  • Discoverability: A registry of available services is published using the Universal Description, Discovery, and Interface (UDDI) standard to allow clients to identify them.

  • Interoperability: The abstraction of system internals enables various services on different platforms to interoperate.

Threat Modeling

The STRIDE threat modeling framework includes the following threat categories:

  • Spoofing: Threats to user authentication

  • Tampering: Threats to data integrity

  • Repudiation: Attacker denies carrying out the attack

  • Information Disclosure: Threats to confidentiality

  • Denial of Service: Threats to availability

  • Elevation of Privilege: Threats to authorization and access management

DREAD is a risk ranking methodology with the following risk categories:

  • Damage Potential: Damage caused if threat occurs

  • Reproducibility: How difficult it is to carry out a threat

  • Exploitability: How much effort it takes for a threat to be materialized

  • Affected Users: The number of users or systems impacted by the threat

  • Discoverability: How hard the vulnerability or threat is to discover

Methods of risk ranking include:

  • Delphi Ranking: In Delphi ranking, each team member independently and privately provides a ranking (Minimal, Severe, or Critical) for each threat. This provides insight into the consensus on the severity of various risks.

  • Average Ranking: Average ranking assigns numeric values to each risk category and averages the results. One common risk ranking methodology is DREAD.

  • Probability x Impact (PxI): PxI ranking multiplies the probability that a risk will materialize with the impact if it does.

Cloud Architecture

Common cloud architectures include:

  • Software as a Service (SaaS): The customers access a solution fully developed and managed by the cloud provider.

  • Platform as a Service (PaaS): The cloud provider hosts and manages an environment where the customer can create and deploy applications.

  • Infrastructure as a Service (IaaS): The cloud provider manages underlying infrastructure, and the customer can deploy and manage their own virtual machines (VMs).

According to NIST, the four cloud deployment models are:

  • Private Cloud: In a private cloud, also known as an internal or corporate cloud, cloud services are provided to a single customer, often on-prem. It has greater privacy and security than other models.

  • Public Cloud: In the public cloud, multiple cloud customers share infrastructure and services managed by the cloud provider. It has greater flexibility and scalability than other models.

  • Community Cloud: In a community cloud, multiple organizations share cloud resources but not with anyone outside of the organization.

  • Hybrid Cloud: The hybrid cloud combines multiple cloud environments, providing some of the benefits and risks of each. This is by far the most common cloud model.

\

The five characteristics of the cloud are:

  • On-Demand Self-Service: Customers can deploy solutions and make changes with minimal service provider involvement

  • Broad Network Access: High-bandwidth connectivity exists to the cloud backend and cloud services are accessible over the network

  • Resource Pooling: Cloud tenants share a pool of resources, which are allocated on an as-needed basis

  • Rapid Elasticity: Cloud tenants can rapidly gain access to pooled resources, which can be reallocated when no longer needed

  • Measured Service: Cloud customers' resource usage is monitored, and they are billed based on their usage

In private clouds, companies have dedicated infrastructure, so resource pooling does not apply.

Language Environment

Hybrid systems like the Common Language Runtime (CLR) and Java Virtual Machine (JVM) use an intermediate representation of code between source code and machine code that is interpreted at runtime.

Compilers convert source code into processor-specific machine code.

Static linking copies required dependencies into an executable during compilation, creating a faster, easily-distributed, and bloated file.

Dynamic linking stores the names and locations of dependencies to be resolved at runtime. It creates smaller files at risk of hijacked dependencies.

Interpreters use a program to directly execute source code without a compilation step.

Database Security

Key database security elements include:

  • Encryption: Encryption protects data confidentiality by scrambling it in a way that renders it unreadable without the decryption key. Encryption enforces access controls because it prevents unauthorized users from reading the data and protects the confidentiality of data in a database.

  • Triggers: Triggers are functions that run automatically when a particular database event occurs. They can be used for logging, alerting, and similar security tasks.

  • Views: Views allow data to be extracted and displayed within tables. Views provide partial visibility into the contents of database tables. They can be used to redact sensitive information when showing data to someone who doesn't need access to that information.

  • Privilege Management: Databases can have built-in access controls that limit the actions that a user or application can take on the database. Privilege management implements internal access controls for a database, restricting users' privileges and access within the database.

Database management system (DBMS) concurrency controls protect against:

  • Lost Updates: Multiple concurrent threads change the same data in different ways, causing only one change to be recorded.

  • Dirty Read: One transaction selects a row in a table that has been updated but not committed by another transaction.

  • Nonrepeatable Reads: A transaction reads the same row multiple times and gets different results.

  • Incorrect Summary: One transaction summarizes the values of a repeated data item while another transaction modifies some of these instances, making the summary incorrect.

Distributed Computing

Some of the common software architecture models include:

  • Mainframe Architecture: Mainframes are designed for bulk data processing. This architecture allows processing to be performed in a central location within a secure perimeter.

  • Client/Server Architecture: Client/server is a distributed architecture in which a client requests services from a server. The modern Internet works under a client/server model where clients can perform significant processing and request resources from servers. Server scalability, availability, and security are essential to the success of this model.

  • Peer-to-Peer: In a peer-to-peer architecture, a system has the ability to act as both a client and a server. File sharing and blockchain technology are examples of peer-to-peer systems.

  • Service-Oriented Architecture (SOA): SOA abstracts away the details of how a system works, exposing services to clients.

The enterprise service bus (ESB) is a component of service-oriented architecture (SOA) that handles communications between data producers and consumers. Key services include:

  • Translating protocols

  • Handling predefined events

  • Message queuing and data flow mapping

Flow control manages the movement of data between various systems, applications, etc. Important flow control tools include:

  • Firewalls: Firewalls enforce corporate policy by inspecting network traffic and permitting or blocking it based on rules. Firewalls come in various forms, including packet-filtering, stateful, and next-generation.

  • Proxies: Proxies act as a middleman in traffic flows, protecting the privacy and security of the source or destination of the traffic.

  • Queues: Queuing protects against network congestion and overloading legacy clients by creating a backlog when sending rates are faster than the recipient can handle it.

\

\

\

\

Last updated