Imagine if you ran a Software development company releasing an update to your software that affected Thousands if not millions of users and you are responsible in keeping their data safe and secure. Domain 8 of the CISSP domain covers software development security, an essential consideration in an organization’s overall security approach for cybersecurity. Software development security involves the application of security concepts and best practices to production and development software environments. It’s important to add security to software development tools, source code weaknesses and vulnerabilities, configuration management as it relates to source code development, the security of code repositories and the security of application programming interfaces which should be integrated into the software development lifecycle considering development methodologies, maturity models, operations and maintenance and change management as well as understanding the need for an integrated product development team.

CISSP Domain 8 covers –

• Software Development Lifecycle.
• Security Controls in Development Environments.
• Secure Coding Standards and Guidelines.
• The Effectiveness of Software Security.

CISSP Domain 8

Security of Application Programming Interfaces

Not every project will require that the phases be sequentially executed. However, the phases are interdependent. Depending upon the size and complexity of the project, phases may be combined or may overlap. The programming language have been classified by generation.

There are five generations of Programming languages. They are: 
First-Generation Languages : 
These are low-level languages like machine language. 
Second-Generation Languages : 
These are low-level assembly languages used in kernels and hardware drives. 
Third-Generation Languages : 
These are high-level languages like C, C++, Java, Visual Basic, and JavaScript. 
Fourth Generation Languages : 
These are languages that consist of statements that are similar to statements in the human language. These are used mainly in database programming and scripting. Examples of these languages include Perl, Python, Ruby, SQL, and MatLab(MatrixLaboratory). 
Fifth Generation Languages : 
These are the programming languages that have visual tools to develop a program. Examples of fifth-generation languages include Mercury, OPS5, and Prolog. 

• Machine Languages – Direct instructions to processor – binary representation
• Assembly Language – Use of symbols, mnemonics to represent binary codes -ADD, PUSH and POP
• High-Level Language – Processor independent programming languages – use IF, THEN and ELSE statements as part of the code logic
• Very high-level language – Generation 4 languages further reduce amount of code required – programmers can focus on algorithms. Python, C++, C# and Java
• Natural language – Generation 5 languages enable system to learn and change on its own – A

Software and Data Terms

• Coupling is the degree of interdependence between software modules depend heavily on another module/object. Low coupling means changing something in a class will not affect other class. A measure of how closely connected two routines or modules are; the strength of the relationships between modules.
• Coupling is usually contrasted with cohesion (if an object/module implements a lot of unrelated functions. High cohesion means an object/module implements only related functions). Low coupling often correlates with high cohesion, and vice versa.
• Consistency in database systems refers to the requirement that any given database transaction must change affected data only in allowed ways. Any data written to the database must be valid according to all defined rules, including constraints, cascades, triggers, and any combination thereof.
• Cardinality refers to the uniqueness of data values contained in a particular column (attribute) of a database table. The lower the cardinality, the more duplicated elements in a column. For example, ID should be unique, so ID would have a high cardinality. A column Gender that can only accept Male or Female would have a low cardinality.
• Durability indicates that once a transaction is committed, it’s permanent. It’ll survive any crash or power off of the DB’s host. The transaction is written to the disk and in the transaction log. Like a customer entry in a database for example.
• Data Dictionary is a data structure that stores metadata (structured data about information). If a data dictionary system is used only by the designers, users, and administrators and not by the DBMS Software, it is called a passive data dictionary. Otherwise, it is called an active data dictionary or data dictionary.
• Test Coverage is a measure used to describe the degree to which the source code of a program is executed when a particular test suite runs. A program with high test coverage, measured as a percentage, has had more of its source code executed during testing, which suggests it has a lower chance of containing undetected software bugs compared to a program with low test coverage. To calculate the test coverage, the formula is Number of use cases tested / Total number of use cases.
• Negative Testing is a method of testing an application or system that ensures that the plot of the application is according to the requirements and can handle the unwanted input and user behavior. Invalid data is inserted to compare the output against the given input. Negative testing is also known as failure testing or error path testing.
  • Boundary tests are done during negative testing. When performing negative testing exceptions are expected. This shows that the application is able to handle improper user behavior. Users input values that do not work in the system to test its ability to handle incorrect values or system failure.
• CRUD testing Create, Read, Update, and Delete (CRUD) are the four basic functions of persistent storage. CRUD testing is used to validate the CRUD is functioning.
• Heap Metadata Prevention is a memory protection that force a process to fail if a pointer is freed incorrectly.
• Pointer Encoding is a buffer overflow protection recommended by Microsoft during the Software Development Lifecycle for Independent Software Vendors, but it’s not required.
• Data Warehousing is the process of collecting large volumes of data on a high performance storage.
• Data Mining is the process of searching large volumes of data for patterns.

Database models

Databases are based on models, which define the way data should be represented in the database. The following are the most common database models:

• Hierarchical : The oldest.
• Network : Data is represented in the form of a network that includes nodes and arcs.
• Relational: The most common.
  • Based on tables (Rows called tuples, and columns called attributes).
• Object-oriented : Data is stored as objects. Similar to OOP languages. A new model.
• Object-relational (Hybrid).
• NoSQL : Non Relational. Used when massive data is needed.

Database models should have the following requirements:

• Transaction persistence.
• Fault tolerance and recovery.
  • Rollback.
  • Shadow.
• Multiple users at the same time.
• Security controls.

Database models

Databases are based on models, which define the way data should be represented in the database. The following are the most common database models:

• Hierarchical : The oldest.
• Network : Data is represented in the form of a network that includes nodes and arcs.
• Relational: The most common.
  • Based on tables (Rows called tuples, and columns called attributes).
• Object-oriented : Data is stored as objects. Similar to OOP languages. A new model.
• Object-relational (Hybrid).
• NoSQL : Non Relational. Used when massive data is needed.

Database models should have the following requirements:

• Transaction persistence.
• Fault tolerance and recovery.
  • Rollback.
  • Shadow.
• Multiple users at the same time.
• Security controls.

Database weaknesses

Databases have many vulnerabilities and are exposed to different threats. This is a list of some of these :

• SQL injection : Use prepared statement to help prevent it.
• Inference : The ability to deduce sensitive information from public data.
• Aggregation : The ability to deduce sensitive information from combining multiple pieces of non-sensitive data.
• Access control bypass at the front-end.
• Compromising view-based access control.
• Concurrency problems:
  • Lost update.
  • Dirty read (Temporary update).
  • Incorrect summary.
• Deadlocking (Deadly embrace) : When two transactions are trying to execute at the same time, but both are denied.
  • Solution : Using lock controls.
• DoS attacks (e.g. SQL Slammer).
• TOCTOU (Time Of Check Time Of Use).

Buffer Overflow and Pointer Protection

This is according to the Independent Software Vendor recommendations from Microsoft SDL.

Data Protection

• Hardware Segmentation is memory protection that maps process in different hardware memory locations.
• Defect Density is a development that determines the average number of defects per line of code.
• Risk Density is a secure development metric that ranks security issues in order to quantify risk.
• Inference is the ability to deduce sensitive information from available non-sensitive information. For example, deducing a patient’s illness based on that patient’s prescription.
• Aggregation is combining benign data to reveal potential sensible information.

Processor Mode

Processors have different modes of execution.

• Ring 0 – Kernel/Supervisor/High Privilege is the mode used to execute code that have complete access to the hardware.
  • It’s normally reserved for OS functions.
• Ring 3 – Users/Applications mode
  • Is used to run applications.

Secure Coding Guidelines and Standards

• Many organizations have a security strategy that is focused at the infrastructure level; it deals with hardware and access. However, organizations that develop code internally should also include coding in their security strategy.
• Security weaknesses and vulnerabilities at the source-code level are important because just about every application has bugs. While not all bugs are specifically related to security, they can sometimes lead to a security vulnerability.
  • Use source code analysis tools, which are also called static application security testing (SAST) tools, to find and fix bugs.
  • These tools are most effective during the software development process, since it’s more difficult to rework code after it is in production.
  • These tools can’t find everything and can potentially create extra work for teams if there are a lot of false positives.
  • All source code is scanned during development and after release into production.
• Security of application programming interfaces (APIs). APIs allow applications to make calls to other applications. Without proper security, APIs are a perfect way for malicious activity to sour your application or environment as a whole.
  • The security of APIs starts with requiring authentication using a method such as OAuth or API keys. Authorization should also be used and enforced.
  • Many companies use an API security gateway to centralize API calls and perform checks on the calls (checking tokens, parameters, messages, etc.) to ensure they meet the organization’s requirements.
  • Other common methods to secure your APIs is to use throttling (which protects against DoS or similar misuse), scan your APIs for weaknesses, and use encryption (such as with an API gateway).
• Secure coding practices. There are established practices you should follow to maximize the security of your code. Some of the most common ones are:
  • Input validation – validate input from untrusted sources and reject invalid input.
  • Don’t ignore compiler warnings – use the highest warning level available and address all warnings that are generated.
  • Deny by default – everyone should be denied by default. Grant access as needed.
  • Authentication and password management – require authentication for everything that is not meant to be available to the public. Hash passwords and salt the hashes. Mmmm, hash browns.
  • Access control – restrict access using the principle of least privilege. Deny access if there are issues checking access control systems.
  • Cryptographic practices – protect secrets and master keys by establishing and enforcing cryptographic standards for your organization.
  • Error handling and logging – avoid exposing sensitive information in log files or error messages. Restrict access to logs.
  • Data protection – encrypt sensitive information.
  • Communication security – use Transport Layer Security (TLS) everywhere possible.
  • System configuration – lock down servers and devices. Keep software versions up to date with fast turnaround.
  • Memory management – use input and output control, especially for untrusted data. Watch for buffer size issues (use static buffers). Free memory when it is no longer required.

Integrated teams

People with different skills and from different environments can be combined to form an integrated team. Three examples of integrated teams are provided here:

• Integrated Product Team (IPT)
  • A team with various skills that work together to deliver a product.
• Integrated Product and Process Development (IPPD)
  • Concurrent development of products and processes.
• DevOps
  • Integrates development, operations and quality assurance.
  • Based on agile principles.

Maturity Models

Maturity models are tools that help in improving processes. The most common one is the Capability Maturity Model (CMM).

CMM defines 5 maturity levels:

• Initial : Processes are ad-hoc and chaotic.
• Repeated : Processes are managed.
• Defined : Processes are understood and documented in procedures and standards.
• Quantitatively managed: Measured.
• Optimizing : Continuous process improvement.

• SAMM – Software Assurange Maturity Model –> open framework geared towards including sec features
• BSIMM – Building Security in Maturity Model –> measure the extent to which sec is included in software dev processes
• AMM – Agile Maturity Model –> sw process improvement model for Agile

Types of publicly released software

• closed source –> released in executable form, source code = confi
• open source –> source code = public
• proprietary –> subject to intellectual property protections
• free software –> free of charge (gratis) or free to modify it (libre)
• freeware –> free of charge to use
• shareware –> fully functional proprietary sw that can be used for free initially
• crippleware –> proprietary sw w/ key features disabled (pay for the full version)