TDT4237 - Software Security and Data Privacy

Links

• NTNU

Course Summary

• Identify typical security vulnerabilities of web applications listed in OWASP top 10, such as SQL injection, XSS, and XSRF, by reviewing the source code and penetration testing. Students should also be able to fix the identified vulnerabilities;
• Explain typical cryptography concepts and algorithms related to web application, including, e.g., block cipher, stream cipher, digital signature, and SSL/TSL handshaking procedure;
• Apply threat modeling methods to analyze web application, learn to think like an attacker and build barriers;
• Describe and compare software engineering practices and standards related to software security;
• Apply risk-based testing for development, figuring out why test? what to test? how to do it?;
• Explain key authentication and authorization concepts and methods, such as different authentication methods, multilevel security control, and role-based access control;
• Explain and apply principles of GDPR and data privacy, protecting personal spaces and avoiding hefty fines for your future tech company.

Course Summary - In detail

1. Security concepts and principles

• Lecture 1: Security principles

Understand basic security goals

• Confidentiality
• Integrity
• Availability
• Privacy
• Accountability
• Non-Repudiation

Understand typical attacks

• Web defacement
• Infiltration, control hijacking
• Phishing
• Data theft or loss
• Denial of service (DoS)
• Ransomware

Apply high-level security guidelines

1. Secure the weakest link
2. Practice defense in depth
3. Fail securely
4. Compartmentalize
5. Be reluctant to trust
6. Follow the principle of least privilege
7. Keep it simple
8. Promote privacy
9. Remember that hiding secrets is hard
10. Use your community resources

2. OWASP Top 10

• Slides: OWASP part 1, OWASP part 2
• OWASP web testing guide
• Foundations of security book (Chapters 8, 9, 10)
• Security engineering book, Chapter 3.4 and 3.5

Understand various web application related attacks, vulnerabilities and countermeasures

Injection attacks (A03:2021)

• SQL
• Xpath
• Blacklisting
• Whitelisting
• Escaping
• Prepared statements and bind variables

Session management attacks

• Session token theft attack
• Session token prediction attack
• Session fixation attack
• Cross-site scripting (XSS)
  • Reflected vs. Stored XSS

Broken access control (A01:2021)

• Cross-Site Request Forgery (CSRF) attack

Server-Side Request Forgery (SSRF) attack (A10:2021)

Security misconfiguration (A05:2021)

• XML External Entities (XXE)

Software and data integrity failure (A08:2021)

• Insecure deserialization

Identification and authentication failure (A07:2021)

• Something you (know/have/are)
• Vulnerable password storage
• Dictionary attack
• Hashing / salt / pepper

Security logging and monitoring failures (A09:2021)

• Insufficient logging and monitoring

HTML security issues

• Clickjacking (X-Frame-Options : deny)
• Control hijacking
• Buffer overflow

Be able to find out vulnerabilities in Python code snippets and know how to fix them

Explain various password related concepts and authentication methods

Other authentication countermeasures:

• Filtering
• Limiting logins
• Aging password
• Last login/ Protective monitoring
• One-time password
• Two-factor/two-channel authentication
• CAPTCHA and reCAPTCHA

3. Cryptography introduction

• Slides: Crypto introduction
• Security engineering, Chapter 5

Explain various cryptography methods presented in the slides

The following use symmetric encryption (shared private key)

• Confidentiality
  • Polybios
  • Shift cipher
  • The Vigenère method
  • One time pad (OTP)
  • Stream cipher
  • Block cipher
    • Variants
      • Data Encryption Standard (DES)
      • Tripe DES (3DES)
      • Advanced Encryption Standard (AES)
    • Modes of operation
      • Electronic code book (ECB)
      • Cipher block chaining (CBC)
• Integrity
  • Enhanced CBC mode (ECBC)
  • Message Authentication Code (MAC)
  • HASH-MAC (HMAC)

Explain public & private key concepts, digital signature, certificates, and SSL handshake

• Kerckhoff’s principle
• Cryptographic hash functions
  • MD5
  • SHA-1, SHA-2
• Handshake algorithms
  • TLS/SSL
  • Certificate Authority (CA)
  • Digital signature
• Public key (asymmetric) encryption
  • RSA
  • ECDSA

Apply the cryptography methods correctly

4. Authorization and Multi-Level Security Authentication and Single sign-on Control hijacking attacks

• Slides: Authorization and stuff
• Security engineering:
  • Chapter 6 Access control
  • Chapter 9 Multi-level security
• Foundations of security, Chapter 6: Buffer overflow

Explain discretionary, mandatory, role-based, and attribute-based access control policy and their pros and cons

• DAC (Discretionary access control)
  • Access control matrix
  • Authorization table
  • Access control list
  • Capabilities
• MAC (Mandatory access control)
• RBAC (Role based access control)
• ABAC (Attribute based access control)

Explain Biba and Bell-Lapdula models

• Biba
• Bell-LaPadula

Explain SSO, SAML 2.0, OAuth 2.0, OpenID

• SSO
  • SAML
  • OAuth
  • OpenID

Explain buffer overflow attack and mitigation

5. Static analysis and tools for security

• Slides: Static analysis tools for security

Explain different static analysis approaches

• Static Application Security Tools (SAST)
• Techniques for static code analysis
  • Pattern matching
  • Control flow analysis
  • Data flow analysis
  • Taint analysis (security)
  • Source (entry points)
  • Sink (exit points)
  • Sanitization points (filters)
• Practical static analysis tools make compromises between soundness and completeness

6. GDPR and Privacy by Design

• Slides: GDPR and Data privacy
• Security engineering, Chapter 26: Surveillance or privacy
• https://gdpr-info.eu/

Explain relationship between security and privacy

Privacy is a subset of security, as protecting personal information is one aspect of securing a software system. (chatGPT)

GDPR

General Data Protection Regulation (GDPR) concerns personal information

1. Transparency,
2. Purpose,
3. Rights,
4. Fair use,
5. Minimalisation

List direct and indirect identifiers of a natural person

• a name,
• an identification number,
• location data,
• an online identifier or
• to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

List what can be sensitive personal data

Sensitive information isdata that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization.

• Personal information
• Business information
• Classified information (government body)

Explain the principles of Privacy by Design

Privacy by design is based on seven "foundational principles"

1. Proactive not reactive; preventive not remedial
2. Privacy as the default setting
3. Privacy embedded into design
4. Full functionality - positive-sum, not zero-sum
5. End-to-end security - full lifecycle protection
6. Visibility and transparency - keep it open
7. Respect for user privacy - keep it user-centric

7. Threat modeling and STRIDE

• Slides: Threat modeling and STRIDE
• The threat modeling manifesto: https://www.threatmodeling manifesto.org/ (values and principles)
• Security engineering
  • Chapter 2: Who is the opponent
  • Chapter 27.3: Lessons from safety-critical systems

Explain what threat modeling is about

Threat modeling looks at a system from an adversary's perspective to anticipate attack goals

Explain the difference between attacker-centric and software-centric threat models

Attacker-centric

One of the first things the security engineer needs to do when tackling a new problem is to identify the likely opponents. What sort of capabilities will the adversaries have, and what motivation?

Some categories of possible threat agents are spooks, crooks, geeks, terrorists, CEO criminals, the swamp and insiders.

Software-centric

Software-centric models are models that focus on the software being built or a system being deployed

1. Identify critical assets
2. Decompose the system to be assessed
3. Identify possible points of attack
4. Identify threats
5. Categorise and prioritise the threats
6. Mitigate

Apply various threat modeling methods, e.g., misuse case, attack tree, bow-tie and data flow diagrams

• Misuse cases
• Attack trees
• Bowtie diagram
• Data flow diagram

Explain and apply STRIDE

• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of Service
• Elevation of Privilege

8. Penetration Testing for Web applications

• Slides: Introduction to real-world pentesting (Harrison Sand)

Explain practices and challenges of penetration testing in industry

1. Understand the application you’re testing
2. Quickly check for “low hanging fruit”
   • Scanners and tools can help, but don't rely on them
3. Spend time diving deep into what makes sense
4. Only go as far as necessary to demonstrate a security risk

9. Risk management during development

• Slides: Risk Management during development
• Security engineering:
  • Chapter 8.6: The economics of security and dependability
  • Chapter 27.2: Risk management
  • Chapter 27.4: Prioritising protection goals

Identify, rank, track, and understand software security risk as it changes over time. Risk management is a continuous and iterative process.

Explain the various steps typical of risk management (e.g., RMF)

Risk management framework (RMF)

1. Understanding the business context
2. Identify business risks and technical risks
3. Synthesize and prioritize risks (impact / likelihood)
4. Define the risk mitigation strategy
5. Carry out fixes and validate

Tools to help identify technical risks: Misuse cases, attack trees, and data flow diagram, etc.

Explain approaches on how to quantify risks

• impact / likelihood matrix

Apply RMF to analyze the security of a system

Define security requirements. Explain the difference between good and bad security requirements

• What you require, not how to achieve it
  • Being open to different solutions
  • Avoid premature design or implementation decisions
• Understandability, clarity (not ambiguous)
• Cohesion (one thing per requirement)
• Testability
  • Clear acceptance criteria
  • Often requires quantification

Define a vulnerability score, e.g. Common Vulnerability Scoring System (CVSS)

https://www.first.org/cvss/calculator/3.1

• A standardized way of measuring the technical severity of a vulnerability
• Gives a score between 0-10
• Consists of a:
  • Base score - Constant over time
  • Temporal score - Current exploitability (changes over time)
  • Environmental score - Modifications based on security requirements and mitigations in place

10. Software Security Activities and Secure Software Development LifeCycles

• Security engineering, Chapter 27: Secure systems development
• Activities recommended by Microsoft: https://www.microsoft.com/en-us/securityengineering/sdl/practices
• BSIMM - https://ieeexplore.ieee.org/abstract/document/7383152 (also available from "Sources and syllabus")
• The OWASP Software Assurance Maturity Model https://owasp.org/www-project-samm/

Explain the basic concepts and tools of best practices in software development

Explain security activities

11. AI for security Social Engineering

• Slides from Nektaria and Erlend Andreas
• Security Engineering
  • Chapter 3 Psychology and Usability
  • Chapter 25.3 AI/ML

Explain how AI and cybersecurity relate

• AI for cybersecurity (i.e., AI is used to improve defensive cybersecurity)
  • Predict attacker, automate testing
• Malicious use of AI (i.e., AI is used to improve offensive cybersecurity)
  • Automated spamming
  • Election rigging
  • Shifting public opinion
  • Tailored phishing, scamming
• Cybersecurity for AI (i.e., cybersecurity is used to defend AI systems from attacks)
  • Manipulation of training
  • Explaining

Explain common techniques used for social engineering

• PEOPLE GIVE when they get
• PEOPLE LIKE those who like them
• PEOPLE DO as similar people do
• PEOPLE LISTEN to authority
• PEOPLE COMMIT to their statements
• PEOPLE AVOID loss (of advantage)