1. 1. Understand and Apply Security in the Software Development Life Cycle
1.1. Development Life Cycle Methodologies
1.1.1. SDLC Phases
1.1.1.1. Project initiation and planning
1.1.1.1.1. Feasibility, cost, risk analysis, Management approval, basic security objectives
1.1.1.2. Functional requirements definition
1.1.1.2.1. Defined need, requirements, review proposed security controls
1.1.1.3. System design specifications
1.1.1.3.1. Develop detailed design specs, Review support documentation, Examine security controls
1.1.1.4. Development and implementation
1.1.1.5. Documentation
1.1.1.6. Testing
1.1.1.7. Transition to production
1.2. Maturity Models
1.2.1. Capability Maturity Model for Software (CMM or SW-CMM)
1.2.1.1. Five maturity levels
1.2.2. ISO/IEC 90003:2004
1.3. Operation and Maintenance
1.3.1. release into production/ Certification/accreditation
1.4. Change Management
1.4.1. Together, change and configuration management techniques form an important part of the software engineer's arsenals and protect the organization from development -related security issues.
1.4.1.1. Three basic components
1.4.1.1.1. Request control
1.4.1.1.2. Change Control
1.4.1.1.3. Release Control
1.5. Integrated Product Team
1.5.1. DevOps
2. 2. Enforce Security Controls in the Development Environment
2.1. Software Development Methods
2.1.1. Waterfall
2.1.1.1. Structured Programming Development
2.1.1.2. Spiral Method
2.1.1.3. Cleanroom
2.1.2. Iterative Development
2.1.2.1. Prototyping
2.1.2.2. Modified Prototype Model (MPM)
2.1.2.3. Rapid Application Development (RAD)
2.1.2.4. Joint Analysis Development (JAD)
2.1.2.5. Exploratory Model
2.1.3. Other Methods and Models
2.1.3.1. Computer-Aided Software Engineering (CASE)
2.1.3.2. Component-Based Development
2.1.3.3. Reuse Model
2.1.3.4. Extreme Programming
2.2. The Database and Data Warehousing Environment
2.2.1. Database Management System (DBMS) Architecture
2.2.1.1. Elements of a DBMS
2.2.1.1.1. The database engine itself
2.2.1.1.2. The hardware platform
2.2.1.1.3. Application software
2.2.1.1.4. Users
2.2.1.2. Structured Query Language (SQL)
2.2.1.2.1. SQL Sublanguages
2.3. Database Models
2.3.1. Database Models
2.3.1.1. Hierarchical Database Management Model
2.3.1.2. Network Database Management Model
2.3.1.3. Relational Database Management Model
2.3.1.3.1. Tables or relations
2.3.1.3.2. Integrity rules
2.3.1.3.3. Data manipulation agents
2.3.1.3.4. Attributes of a Table
2.3.1.4. Object-Oriented Database Model
2.4. Database Interface Languages
2.4.1. Open Database Connectivity (ODBC)
2.4.2. Java Database Connectivity (JDBC)
2.4.3. eXtensible Markup Language (XML)
2.4.4. Object Linking and Embedding Database (OLE DB)
2.5. Accessing Databases through the Internet
2.5.1. Application Programming Interfaces (APIs)
2.5.2. Tiered Application Approach
2.5.2.1. Presentation layer
2.5.2.2. Business logic layer
2.5.2.3. Data layer
2.5.3. Online Analytical Processing (OLAP)
2.5.3.1. OLAP technologies provide an analyst with the ability to formulate queries and define further queries
2.5.4. Lock Controls
2.5.4.1. Atomicity
2.5.4.2. Consistency
2.5.4.3. Isolation
2.5.4.4. Durability
2.5.5. Other DBMS Access Controls
2.5.5.1. Grant and Revoke Access Controls
2.5.5.2. View-Based Access Controls
2.5.5.3. Security for Object-Oriented (OO) Databases
2.5.5.4. Metadata Controls
2.5.5.4.1. data dictionary
2.5.5.5. Data Contamination Controls
2.5.5.5.1. input and output controls
2.5.6. ActiveX Data Objects (ADO)
2.5.7. Online Transaction Processing (OLTP)
2.5.8. Knowledge Management
2.5.9. Knowledge Discovery in Databases (KDD)
2.6. Web Application Environment
2.6.1. Open Web Application Security Project (OWASP) Framework
2.7. Security of the Software Environments
2.7.1. Open Source
2.7.2. Full Disclosure
2.7.3. Programming Languages
2.7.4. Programming Language Generations
2.7.5. Process and Elements
2.7.5.1. Higher-level languages
2.7.5.2. Machine language
2.7.5.3. Directive patterns
2.7.6. The Programming Procedure
2.7.7. Java Security
2.7.7.1. Verifier
2.7.7.2. Class Loader
2.7.7.3. Security Manager
2.7.8. Object-Oriented Technology and Programming
2.7.8.1. Encapsulation
2.7.8.2. Inheritance
2.7.8.3. Polymorphism
2.7.8.4. Polyinstantiation
2.7.9. Object-Oriented Security
2.7.9.1. Encapsulation
2.7.9.2. Polyinstantiation
2.7.10. Distributed Object-Oriented Systems
2.7.11. Common Object Request Broker Architecture (CORBA)
2.7.12. Libraries and Toolsets
2.7.13. Standard Libraries
2.7.14. Programming Tools
2.7.15. Integrated Development Environments
2.7.16. Runtime
2.8. Security Weaknesses and Vulnerabilities at Source Code Level
2.8.1. Social Engineering
2.8.1.1. Buffer Overflow
2.8.1.2. Citizen Programmers
2.8.1.3. Covert Channel
2.8.2. Source Code Analysis Tools
2.9. Malicious Software (Malware)
2.9.1. Viruses
2.9.1.1. Types of Viruses
2.9.1.1.1. File Infectors
2.9.1.1.2. Boot Sector Infectors
2.9.1.1.3. System Infectors
2.9.1.1.4. Companion Virus
2.9.1.1.5. E-mail Virus
2.9.1.1.6. Multipartite
2.9.1.1.7. Macro Virus
2.9.1.1.8. Script Virus
2.9.2. Malware
2.9.2.1. Worms
2.9.2.2. Hoaxes
2.9.2.3. Trojans
2.9.2.4. DDoS Zombies
2.9.2.5. Logic Bombs
2.9.2.6. Spyware and Adware
2.9.2.7. Pranks
2.9.2.8. Botnets
2.9.3. Malware Protection: Tools
2.9.3.1. Scanners
2.9.3.2. Heuristic Scanners
2.9.3.3. Activity Monitors
2.9.3.4. Change Detection
2.9.3.5. Reputation Monitoring/Zero-day/Zero-hour
2.9.3.6. Antimalware Policies
2.10. Software Protection Mechanisms
2.10.1. Trusted Computing Bases (TCB)
2.10.2. Reference Monitors
2.10.3. Security Kernels
2.10.4. Processor Privilege States
2.10.5. Security Controls for Buffer Overflows
2.10.6. Controls for Incomplete Parameter Check and Enforcement
2.10.7. Process Isolation and Memory Protection
2.10.8. Interrupts
2.10.9. Encapsulation of a Process
2.10.10. Time Multiplexing
2.10.11. Naming Distinctions
2.10.12. Virtual Address Memory Mapping
2.10.13. Memory Management
2.10.13.1. Memory Manager Responsibilities
2.10.13.1.1. Relocation
2.10.13.1.2. Protection
2.10.13.1.3. Sharing
2.10.13.1.4. Logical organization
2.10.13.1.5. Physical organization
2.10.13.2. Memory Manager: Registers
2.10.14. Covert Channel Controls
2.10.15. Cryptography
2.10.16. Password Protection Techniques
2.10.17. Inadequate Granularity of Controls
2.10.18. Control and Separation of Environments
2.10.18.1. Development environment
2.10.18.2. Quality assurance environment
2.10.18.3. Application (production) environment
2.10.19. Race Conditions vs. Time of Check/Time of Use (TOC/TOU) Attacks
2.10.20. Social Engineering
2.10.21. Backup Controls
2.10.22. Software Forensics
2.10.23. Mobile Code Controls
2.10.23.1. Disclosure of information
2.10.23.2. Denial-of-service (DoS) attacks
2.10.23.3. Damaging or modifying data
2.10.23.4. Annoyance attacks
2.10.24. Sandbox
2.10.24.1. Provides a protective area for program execution
2.10.25. Programming Language Support
2.11. Configuration Management as an Aspect of Secure Coding
2.11.1. Configuration Mangement (CM)
2.11.2. Information Protection Management
2.12. Security of Code Repositories
2.13. Security of Application Programming Interfaces
2.13.1. Representational State Transfer (REST)
2.13.1.1. Authentication Options
2.13.1.1.1. Basic Authentication w/TLS
2.13.1.1.2. Oauth1.0a
2.13.1.1.3. Oauth2
2.13.1.2. Allows interaction with a web-based system via simplified URLs
2.13.1.3. OWASP REST Security Cheat Sheet
2.14. Certification and Accreditation
3. 3. Assess the Effectiveness of Software Security
3.1. Certification and Accreditation
3.1.1. Federal agency mandates
3.1.2. Certification
3.1.3. NIST SP 800-37
3.1.4. Risk Management Framework (RMF)
3.1.4.1. The risk management process changes the traditional focus of C&A as a static, procedural activity to a more dynamic approach
3.1.5. Certification for Private Organizations
3.2. Auditing and Logging of Changes
3.2.1. Logs
3.2.1.1. A log is a record of actions and events that have taken place on a computer system
3.2.2. Auditing
3.2.3. Information Integrity, Accuracy, and Auditing
3.2.3.1. Information integrity
3.2.3.2. Information accuracy
3.2.3.3. Character checks
3.2.3.4. Relationship checks
3.2.3.5. Transaction limits
3.2.3.6. Information auditing
3.3. Risk Analysis and Mitigation
3.3.1. Risk
3.3.1.1. An event that has a probability of occurring and could have either a positive or negative impact to a project should that risk occur
3.3.2. Risk Management
3.3.2.1. Risk management planning
3.3.2.2. Identification
3.3.2.3. Analysis
3.3.2.4. Monitoring
3.3.2.5. Control
3.3.2.5.1. Patch Management
3.3.3. Risk documentation
3.3.3.1. Risk register
3.3.3.2. Risk statement
3.3.3.3. Mitigation steps
3.3.3.4. Contingency plan
3.3.4. Risk Management Tools
3.3.4.1. Ishikawa Diagrams
3.3.4.2. P-Diagrams
3.3.4.3. Preliminary Hazard Analysis (PHA)
3.3.4.4. Failure Modes and Effect Analysis (FMEA)
3.3.4.5. Failure Modes and Effect Criticality Analysis (FMECA)
3.3.4.6. Hazard Analysis of Critical Control Points (HACCP)
3.4. Testing and Verification
3.4.1. Code Signing
3.4.1.1. Code Signature Components
3.4.1.1.1. Seal
3.4.1.1.2. Digital signature
3.4.1.1.3. Unique identifier
3.5. Regression and Acceptance Testing
3.5.1. Whenever developers change or modify their software, even a small tweak can have unexpected consequences
3.5.2. Using a Library of Tests
3.5.3. Acceptance Testing
3.5.3.1. A formal test conducted to determine whether a system satisfies its acceptance criteria and to enable the customer to determine whether or not to accept the system
4. 4. Assess Software Acquisition Security
4.1. Software assurance
4.1.1. Planning
4.1.2. Contracting
4.1.3. Monitoring and Acceptance
4.1.4. Follow-on
4.2. SwA Policy
4.2.1. Acquistion Process
4.3. Risks Associated with Software Vulnerabilities
4.3.1. Intentional insertion of malicious code
4.3.2. Unintentional errors
4.3.3. Theft of vital information
4.3.4. Theft of personal information
4.3.5. Changed product
4.3.6. Inserted agents
4.3.7. Corrupted information