CBK Applications and Systems Development Security (Part-2)

Capability Maturity Model Integration

• Product and service development — CMMI for Development (CMMI-DEV),
• Service establishment, management, and delivery — CMMI for Services (CMMI-SVC), and
• Product and service acquisition — CMMI for Acquisition (CMMI-ACQ)

• To determine how well the organization’s processes compare to CMMI best practices, and to identify areas where improvement can be made
• To inform external customers and suppliers of how well the organization’s processes compare to CMMI best practices
• To meet the contractual requirements of one or more customers

Types of programming languages

Low level Programming Language

A low-level programming language is a language that provides little or no abstraction from a computer's instruction set architecture. These languages are also described as being "close to the hardware." Low-level programming languages are sometimes divided into two categories:

• First generation or 1GL, is machine code. It is the only language a microprocessor can understand directly.
• Second generation , or 2GL, is assembly language. It is not a microprocessor's native language, an assembly language programmer must still understand the microprocessor's unique architecture such as its registers and instructions. These simple instructions are then assembled directly into machine code.

High-level Programming Language

In computing, a high-level programming language is a programming language with strong abstraction from the details of the computer. In comparison to low-level programming languages, it may use natural language elements, be easier to use, or be more portable across platforms. Such languages hide the details of CPU operations such as memory access models and management of scope.The amount of abstraction provided defines how 'high-level' a programming language is. They have no opcodes that can directly compile the language into machine code, unlike low-level assembly language.

Very High-level Programming Language

A very high-level programming language (VHLL) is a programming language with a very high level of abstraction. These are usually limited to a very specific application, purpose, or type of task.
The terms high-level and low-level are inherently relative. Some decades ago, the C language, was most often considered "high-level", while assembly language was considered "low-level". But many programmers today might refer to C as low-level, as it lacks many modern high level language features.

Compilers, Interpreters and Assemblers

Various programs are used to turn high-level programming code (or source code) into object or machine code. These programs are interpreters, compilers, and assemblers. They work as translators. Interpreters translate one command at a time during execution, and compilers translate large sections of code at a time. Assemblers translate assembly language into machine language. Most applications are compiled, whereas many scripting languages are interpreted.
Interpreted programs have instructions that are read and interpreted by a program one instruction at a time. This program, the interpreter, converts high-level instructions into machine-readable format in real time. Compiled programs are written in a high-level language and turned into machine-readable format by a program called a compiler.

OOP / Object-Oriented Programming

(Ref: Wikipedia )
Class
Defines the abstract characteristics of a thing (object), including the thing's characteristics (its attributes, fields or properties) and the thing's behaviors (the things it can do, or methods, operations or features). Classes provide modularity and structure in an object-oriented computer program.
Object
A pattern of a class. The class of Dog defines all possible dogs by listing the characteristics and behaviors they can have; the object Lucy is one particular dog, with particular versions of the characteristics. A Dog has colour; Lucy has blak colour.
Instance
One can have an instance of a class or a particular object. The instance is the actual object created at runtime. In programmer context, the Lucy object is an instance of the Dog class. The set of values of the attributes of a particular object is called its state. The object consists of state and the behaviour that's defined in the object's class.
Method
An object's abilities. In language, methods (sometimes referred to as "functions") are verbs. Lucy, being a Dog, has the ability to bark. So bark() is one of Lucy's methods.  Within the program, using a method usually affects only one particular object; all Dogs can bark, but you need only one particular dog to do the barking.
Message passing
"The process by which an object sends data to another object or asks the other object to invoke a method." Also known to some programming languages as interfacing. For example, the object called Spike may tell the Lucy object to sit by passing a "sit" message which invokes Lucy's "sit" method.
Inheritance
"Subclasses" are more specialized versions of a class, which inherit attributes and behaviors from their parent classes, and can introduce their own attributes and behaviors as well.
For example, the class Dog might have sub-classes called Boxer and Pug. In this case, Lucy would be an instance of the Pug subclass. Suppose the Dog class defines a method called bark() and a property called furColor. Each of its sub-classes (Boxer and pug) will inherit these members, meaning that the programmer only needs to write the code for them once.
Each subclass can alter its inherited traits. For example, the Pug class might specify that the default furColor for a pug is brown. The boxer subclass might specify that the bark() method produces a high pitch by default. Subclasses can also add new members. The Boxer subclass could add a method called tremble(). So an individual boxer instance would use a high-pitched bark() from the boxer subclass, which in turn inherited the usual bark() from Dog. The boxer object would also have the tremble() method, but Lucy would not, because she is a Pug, not a boxer.
Multiple inheritance
It is inheritance from more than one ancestor class, neither of these ancestors being an ancestor of the other. For example, independent classes could define Dogs and Cats, and a Chimera object could be created from these two which inherits all the (multiple) behavior of cats and dogs. This is not always supported, as it can be hard both to implement and to use well.
Abstraction
Abstraction is simplifying complex reality by modeling classes appropriate to the problem, and working at the most appropriate level of inheritance for a given aspect of the problem.
For example, Lucy the Dog may be treated as a Dog much of the time, a Pug when necessary to access Pug-specific attributes or behaviors, and as an Animal (perhaps the parent class of Dog) when counting your pets.
Abstraction is also achieved through Composition. For example, a class Car would be made up of an Engine, Gearbox, Steering objects, and many more components. To build the Car class, one does not need to know how the different components work internally, but only how to interface with them, i.e., send messages to them, receive messages from them, and perhaps make the different objects composing the class interact with each other.
Encapsulation
Encapsulation conceals the functional details of a class from objects that send messages to it.
For example, the Dog class has a bark() method. The code for the bark() method defines exactly how a bark happens (e.g., by inhale() and then exhale(), at a particular pitch and volume). You, Lucy's friend, however, does not need to know exactly how she barks. Encapsulation is achieved by specifying which classes may use the members of an object. The result is that each object exposes to any class a certain interface. The reason for encapsulation is to prevent clients of an interface from depending on those parts of the implementation that are likely to change in future, thereby allowing those changes to be made more easily, that is, without changes to clients. For example, an interface can ensure that puppies can only be added to an object of the class Dog by code in that class. Members are often specified as public, protected or private, determining whether they are available to all classes, sub-classes or only the defining class. Some languages go further: Java uses the default access modifier to restrict access also to classes in the same package, C# and VB.NET reserve some members to classes in the same assembly using keywords internal (C#) or Friend (VB.NET), and Eiffel and C++ allow one to specify which classes may access any member.
Polymorphism
Polymorphism allows the programmer to treat derived class members just like their parent class' members. More precisely, Polymorphism in object-oriented programming is the ability of objects belonging to different data types to respond to method calls of methods of the same name, each one according to an appropriate type-specific behavior. One method, or an operator such as +, -, or *, can be abstractly applied in many different situations. If a Dog is commanded to speak(), this may elicit a bark(). However, if a Cow is commanded to speak(), this may elicit an haan(). They both inherit speak() from Animal, but their derived class methods override the methods of the parent class; this is Overriding Polymorphism.
Overloading Polymorphism is the use of one method signature, or one operator such as "+", to perform several different functions depending on the implementation. The "+" operator, for example, may be used to perform integer addition, float addition, list concatenation, or string concatenation. Any two subclasses of Number, such as Integer and Double, are expected to add together properly in an OOP language. The language must therefore overload the addition operator, "+", to work this way. This helps improve code readability. How this is implemented varies from language to language, but most OOP languages support at least some level of overloading polymorphism. Pointers are an example of a simple polymorphic routine that can be used with many different types of objects.
Decoupling
Decoupling allows for the separation of object interactions from classes and inheritance into distinct layers of abstraction. A common use of decoupling is to polymorphically decouple the encapsulation, which is the practice of using reusable code to prevent discrete code modules from interacting with each other. However, in practice decoupling often involves trade-offs with regard to which patterns of change to favor. The science of measuring these trade-offs in respect to actual change in an objective way is still in its infancy.
Not all of the above concepts are to be found in all object-oriented programming languages, and so object-oriented programming that uses classes is called sometimes class-based programming.

Structured analysis approach

A full structured analysis approach looks at all objects and subjects of an application and maps the interrelationships, communications paths, and inheritance properties. Object-oriented analysis (OOA) is a structured analysis approach. OOA is the process of classifying objects that will be appropriate for a solution.

Data modeling approach

In this approach data is considered independently of the way that the data is processed and of the components that process the data. A data model follows an input value from beginning to end and verifies that the output is correct.
Strustured Analysis vs Data Modelling
OOA is an example of a structured analysis approach. If an analyst is reviewing the OOA of an application, she will make sure that all relationships are set up correctly, that the inheritance flows in a predictable and usable manner, that the instances of objects are practical and provide the necessary functionality, and that the attributes of each class cover all the necessary values used by the application. When another analyst does a data model review of the same application, he will follow the data and the returned values after processing takes place. An application can have a perfect OOA structure, but when 1 + 1 is entered and it returns –3, something is wrong. This is what the data modeling looks at.

Phases of object-oriented design and development

Specification

During this stage a rough idea of the purpose of the subsystem and the services it will provide is proposed.
Exploratory Design

During this stage key objects and their interactions are modeled. An initial pass is made at defining each key class’ role and responsibilities. Several additional layers of each subsystem design can be elaborated. Services available to objects outside the subsystem are specified in greater detail.
Detailed modeling 

Extensive review and refinement of the initial model. Classes are scrutinized for appropriate factoring of responsibilities to minimize inter-object dependencies and simplify the design. New supporting classes may be created to further reduce coupling between classes. And permissible patterns of collaboration between objects can be formalized through contracts that spell out services used by specific clients. Finally, class inheritance hierarchies can be developed.

Implementation Phase

Actual coding and building of system.

Integration

Crucial point in any large application comes when subsystems developed in relative isolation (after agreeing upon basic inter-subsystem interactions and publicly available services) are made to work together. Test stub methods and objects are replaced by their application stand-ins. It is at this stage that hidden assumptions about services provided and/or expected patterns of usage are uncovered, and once again might need readjusting.
Validation

It is necessary to validate behavior of individual components and the overall behavior of major subsystems in the actual working environment.
Cleanup

A relatively minor sweep through the classes and working code can often provide dramatic improvements in performance, code clarity, robustness and importantly security.
Generalization for broader utility

This activity needs to be carefully planned. Not all subsystems are significant enough or have enough potential utility to merit this extra effort without compromising security.

Computer-aided software engineering (CASE)

The tools aid in keeping more detailed records of requirements, design, and implementation and in testing the program and project overall. When the automation covers the complete life cycle of a product, the tools are referred to as integrated computer-aided software engineering (I-CASE) tools. Many CASE tools utilize rapid prototyping technologies that enable applications to be developed faster with higher quality and lower cost.

Cohesion and Coupling

A cohesive module does just one function, and it does it with little or no interaction from other modules. Cohesiveness decreases complexity, as less interactions lead to low complexity and simple track down of problems. The best programming uses the most cohesive modules possible, but because different modules need to pass data and communicate, they usually cannot be totally cohesive.
Coupling is a measure of interconnection among modules in an application. The level of coupling involved between modules depends on the interface’s complexity, the data being passed between modules, and the point of entry or reference made to the module itself. The lower the coupling, the better the software design, because it promotes module independence. The more independent a component is, the less complex the application is, and the easier it is to modify and troubleshoot.
High cohesion and low coupling is desired.

Object Management Architecture

The Object Management Architecture (OMA) provides standards to build a complete distributed environment. It contains two main parts:

• -System-oriented components - object request brokers (ORBs) and object services
• -Application-oriented components - application objects and common facilities

ORB is the middleware that establishes the client/server relationship between objects. The ORB manages all communications between components and enables them to interact in a heterogeneous and distributed environment. The ORB works independently of the platforms  where the objects reside, which provides greater interoperability. ORBs rely on object services to provide access control, track relocated objects, and create objects.

Common Object Request Broker Architecture (CORBA)

The Object Management Group (OMG) developed the CORBA model for the use of these different services in an environment. This standardization enables many different developers to write hundreds or thousands of components that can interact with other components in an environment without having to know how the component actually works.
When objects communicate with each other, they use pipes, which are inter component communications services. There are different types of pipes, such as remote procedure calls (RPCs) and ORBs. ORBs provide communications between distributed objects. CORBA specifies interface definitions language (IDL) and APIs that interface to the ORB.

COM and DCOM

Component Object Model (COM) defines how components interact and provides an architecture for simple interprocess communication (IPC). COM enables applications to use components on the same systems.
Distributed Component Object Model (DCOM) supports the same model for component interaction, but supports distributed IPC. DCOM enables applications to access objects that reside in different parts of a network. DCOM works as the middleware that enables distributed processing and provides developers with services that support process-to-process communications across networks. DCOM provides ORB services, data connectivity services, distributed messaging services, and distributed transaction services layered over its RPC mechanism.
Without DCOM, programmers would have to write much more complicated code to find necessary objects, set up network sockets, and incorporate the services necessary to allow communication. DCOM takes care of these issues and more, and enables the programmer to focus on his tasks at hand. DCOM has a library that takes care of session handling, synchronization, buffering, fault identification and handling, and data format translation.

Middle wares

Other middleware provide similar functionality to DCOM: ORB, message-oriented middleware (MOM), RPC, ODBC, and so on. DCOM provides ORB services, data connectivity services, distributed messaging services, and distributed transaction services layered over its RPC mechanism.

Object Linking and Embedding

Object linking and embedding (OLE) provides a way for objects to be shared on a local personal computer and to use COM as their foundation. OLE enables objects to be embedded into documents, like graphics, pictures, and spreadsheets.

Mobile Code

Code that can be transmitted across a network, to be executed by a system or device on the other end, is called mobile code. There are many legitimate reasons to allow mobile code; for example, web browser applets that may execute in the background to download additional content for the web page, such as music or a video image.
The cautions arise when a web site downloads code intended to do malicious or compromising actions, especially when the recipient is unaware that the compromising activity is taking place. If a web site is compromised, it can be used as a platform from which to launch attacks against anyone visiting the site and just browsing. On a web browser, having security settings set to high, or disallowing various scripting or active web components, may be an appropriate countermeasure. Java applet and ActiveX are example of mobile code.

ActiveX

ActiveX components can run on any platform that supports DCOM (using the COM model) or that communicates using DCOM services.

Enterprise JavaBeans

Java is platform independent because it is not compiled to processor-specific machine code. The JVM interprets bytecode to machine code for that specific computer system.
Enterprise JavaBeans (EJB) is a structural design for the development and implementation of distributed applications written in Java. EJB provides interfaces and methods to allow different applications to be able to communicate across a networked environment. Java is also compatible with CORBA.
Java Security
Java applets use a security scheme that employs a sandbox to limit the applet’s access to certain specific areas within the user’s system and protects the system from malicious or poorly written applets. The applet is supposed to run only within the sandbox. The sandbox restricts the applet’s environment by restricting access to a user’s hard drives and system resources. If the applet does not go outside the sandbox, it is considered safe.
Browser Settings Java applets and the actions that they perform can be prevented and controlled by specific browser settings. These settings do not affect full-fledged Java applications running outside of the browser.

Expert Systems

Expert systems, also called knowledge-based systems, use artificial intelligence (AI) to solve problems. Expert systems emulate human logic to solve problems that would usually require human intelligence and intuition.

Malicious Software (Malware)

There are several types of malicious code: viruses, worms, Trojan horses, and logic bombs. They usually are dormant until activated by an event the user or system initiates. Malicious code can be detected through the following clues:

• File size increase
• Many unexpected disk accesses
• Change in update or modified timestamp
• Sudden decrease of hard drive space
• Unexpected and strange activity by applications

A “pseudo-flaw” is code inserted into an application on purpose to trap potential intruders.
Virus
A virus is a small application, or string of code, that infects applications. The main function of a virus is to reproduce, and it requires a host application to be able to do this. In other words, viruses cannot replicate on their own. A virus infects files by inserting or attaching a copy of itself to the file. The virus may also cause destruction by deleting system files, displaying graphics, reconfiguring systems, or overwhelming mail servers.

• Boot sector viruses infect the boot sector of a computer and either move data within the boot sector or overwrite the sector with new information.
• Compression viruses append themselves to executables on the system and compress them by using the user’s permissions.
• A stealth virus hides the modifications that it has made to files or boot records. This can be accomplished by monitoring system functions used to read files or sectors and forging the results.
• A polymorphic virus produces varied but operational copies of itself.
• A multipart virus infects both the boot sector of a hard drive and executable files.
• A self-garbling virus attempts to hide from antivirus software by garbling its own
• code.
• Meme viruses are not actual computer viruses but types of e-mail messages that are continually forwarded around the Internet.

EICAR test
An EICAR test is done with antivirus software by introducing a benign virus to test the detection and reaction activities of the software. Antivirus software products have an EICAR.com file and a signature that matches this file. After software configurations are completed, then you put this file on the system to test the antivirus product’s reactions to a virus.
Macros
Macros are programs written in Word Basic, Visual Basic, or VBScript and are usually used with Microsoft Office products. Macros automate tasks that users would otherwise have to carry out themselves. A macro virus is a virus written in one of these macro languages and is platform independent.
Worm
Worms are different from viruses in that they can reproduce on their own without a host application, and are self-contained programs. A worm can propagate itself by using email, TCP/IP, and disk drives. The definitions of a worm and virus are continually merging, and the distinction is becoming more blurred.
Logic Bomb
A logic bomb executes a program, or string of code, when a certain event happens or a date and time arrives.
Trojan Horse
A Trojan horse is a program that is disguised as another program. For example, a Trojan horse can be named Notepad.exe and have the same icon as the regular Notepad program. However, when a user executes Notepad.exe, it may still run the Notepad program for the user but in the background manipulate files or cause some other malicious acts. A host-based IDS can be configured to watch certain files and detect when they grow in size, which is often a sign of a Trojan horse. If the original Notepad.exe was 50KB in size and then grew to 2MB, it may indicate that a Trojan horse has infected that program.
Remote access Trojans are malicious programs that run on systems and allow intruders to access the system remotely. They mimic the functionality of legitimate remote control programs used for remote administration, but they are used for sinister purposes instead of helpful activities. They are usually hidden in some type of mobile code, such as in Java applets or ActiveX controls that are downloaded from web sites. The Trojan and attacker work in a client/server model. The remote access Trojan installed on the victim’s system is the server portion, and the attacker has a client piece. The server portion of the Trojan listens on a specific port, which allows a remote backdoor into the victim’s system.

Attacks

Denial-of-service

Denial-of-service (DoS) attacks are performed by sending malformed packets to a system that does not recognize the format and thus does not know how to properly process it. This can cause the system to crash or stop processing other packets. DoS attacks can interrupt service or completely deny legitimate users access to needed system resources.
DoS attacks can be amplified by several attackers combining their bandwidth and attacking simultaneously.
Smurf
Smurf is a simple attack based on IP spoofing and broadcasts. A single packet (such as an ICMP Echo Request) is sent as a directed broadcast to a subnet on the Internet. All the machines on that subnet respond to this broadcast. By spoofing the source IP address of the packet, all the responses will get sent to the spoofed IP address. Thus, a hacker can often flood a victim with hundreds of responses for every request the hacker sends out. Possible countermeasures to smurf attacks are:

• Disable direct broadcast functionality at border routers to make sure a certain network is not used as an amplifying site.
• Configure parameter routers to reject as incoming messages any packets thatcontain internal source IP addresses. These packets are spoofed.
• Allow only the necessary ICMP and UDP traffic into and out of an environment.
• Employ a network-based IDS to watch for suspicious activity.
• Some systems are more sensitive to certain types of DoS, and patches have already been released. The appropriate patches should be applied.

Fraggle

Fraggle, a variant uses UDP instead of ICMP. The attacker broadcasts a spoofed UDP packet to the amplifying network, which in turn replies to the victim’s system. The larger the amplifying network, the larger the amount of traffic that is pointed at the
victim’s system.

SYN Flood

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of TCP SYN requests to a target's system. The SYN flood is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK.

Fragment attack

A "fragment attack" is a network saturation (denial-of-service) attack that exploits the fragmentation principle of the IP protocol. Recent systems are no longer vulnerable to this attack.
The IP protocol is used to fragment large packets into several IP packets each having a sequence number and a common identification number. When receiving data, the recipient reassembles the packets thanks to the offset values they contain.
The most famous fragment attack is the Teardrop attack. The principle of the Teardrop attack involves inserting false offset information into fragmented packets. As a result, during reassembly, there are empty or overlapping fragments that can cause the system to be unstable.

Distributed Denial of Service

A distributed denial-of-service (DDoS) attack is a logical extension of the DoS attack that gets more computers involved in the act. The DDoS attack uses hundreds or thousands of computers to request services from a server or server farm until the system or web site is no longer functional.

DNS DoS Attacks

DNS servers contain records that enable the mapping between hostnames and IP addresses. Primary DNS servers make all the necessary changes to the records when host and/or IP addresses change, and these records are then distributed to the secondary DNS servers. In a DNS DoS attack a secondary server receives bogus records from an attacker instead of receiving legitimate records from the primary DNS server, the secondary server would not know the difference and would update its records accordingly.
While in a cache poisoning DNS DoS attack, attacker inserts false data into the cache of the server instead of replacing the actual records. Possible countermeasures include:

• Ensure that DNS servers have public and internal records. The public records serve Internet requests and contain no sensitive information pertaining to the internal network. The internal records should be unreachable from the Internet and are used to resolve queries from internal users.
• Use a primary and secondary DNS server per zone so that DNS servers are redundant.
• Update the DNS BIND version, because different DNS BIND versions have different vulnerabilities.
• Employ secure DNS. It protects DNS servers from having their records updated by unauthorized sources. The secondary DNS servers must authenticate the systems that are updating their records.

Buffer Overflow
Buffer overflows happen when an application does not check the length of data that is input.
Unintentional denial of service
A situation where a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story. The result is that a significant proportion of the primary site's regular users — potentially hundreds of thousands of people, click that link in the space of a few hours, having the same effect on the target website as a DDoS attack.