Introduction

Software plays a key role in the productivity of most organizations, but in many cases, we must contend with bugs and vulnerabilities in software. If you were to buy a defective car that exploded in minor accidents, the manufacturer would be forced to recall the car. However, if you buy a buggy piece of software, you have little recourse: You could wait for a patch, buy an upgrade, or maybe just buy another vendor’s product. Well-written applications are essential for good security. This chapter focuses on topics a security professional must know in order to apply security in the context of the CIA triad (confidentiality, integrity, and availability) to the software development lifecycle (SDLC), including programming languages, application design methodologies, change management, and database design.

Databases contain some of the most critical assets of an organization and are often targeted by hackers. As a security professional, you must understand design, security issues, control mechanisms, and common vulnerabilities of databases. In addition to protecting the corporation’s database from attacks, a security professional must be sensitive to the interconnectivity of databases and the rise of large online cloud databases.

Integrating Security into the Development Lifecycle

As a security professional, you are not expected to be an expert programmer or understand the inner workings of a Python script. You must, however, know the overall environment in which software and systems are developed. You must understand and integrate security into the SDLC. You must also understand the software development process and be able to recognize whether adequate controls have been developed and implemented. It is important to keep in mind that it’s always cheaper to build in security up front than it is to add it later. Organizations accomplish this by using a structured approach that offers a number of benefits:

• Minimizes risk

• Maximizes return on investment from using the software

• Establishes security controls so that the risk associated with using software is mitigated

New systems are created when new opportunities are discovered; organizations take advantage of these technologies to solve existing problems, accelerate business processes, and improve productivity. Although it’s easy to see the need to incorporate security from the beginning of the process, the historical reality of design and development has been deficient in this regard. Most organizations are understaffed, and duties are not properly separated. Too often, inadequate consideration is given to the implementation of access-limiting controls from within a program’s code.

Code that is not properly secured has exposure points and vulnerabilities. New technologies and developments such as cloud computing and the Internet of Things (IoT) have made using a structured, secure development process even more important than in the past. It is critical that development teams enforce a structured SDLC that has checks and balances and where security is considered from start to finish.

Avoiding System Failure

No matter how hard we plan, systems fail. Organizations must prepare for failures through the use of compensating controls that help limit the damage. Some examples of compensating controls are checks and application controls and fail-safe procedures.

Checks and Application Controls

The easiest way to minimize problems in the processing of data is to ensure that only accurate, complete, and timely inputs can occur. Even poorly written applications can be made more robust by adding controls that check limits, data formats, and data lengths; these controls provide data input validation. Controls verifying that data is only processed through authorized routines should be in place. These application controls should be designed to detect any problems and to initiate corrective action. If there are mechanisms in place that permit the override of these security controls, their use should be logged and reviewed. Table 9.1 lists some common types of controls.

Failure States

Because all applications can fail, it is important that developers create mechanisms for safe failure with damage contained. Well-coded applications have built-in recovery procedures that are triggered if failure is detected; to protect a system from compromise, services can be terminated and systems can be disabled until the cause of failure can be investigated.

The Software Development Lifecycle

The software development lifecycle (SDLC), also referred to as the system development lifecycle, is a framework for system development that can facilitate and structure the development process. It describes a process for planning, creating, testing, and deploying an information system. The National Institute of Standards and Technology (NIST) defines the SDLC in NIST SP 800-34 as “the scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.”

Many other framework models exist, such as the Microsoft Security Development Lifecycle (SDL), which consists of the phases training, requirements, design, implementation, verification, release, and response. Although the stages and specific terms vary from one framework to the next, security concerns should be integrated into every stage. The overall goal is the same: to control the development process and add security at each level or stage of the process.

The SDLC has seven distinct stages:

1. Project initiation

2. Functional requirements and planning

3. Software design specifications

4. Software development and build

5. Acceptance testing and implementation

6. Operational/maintenance

7. Disposal

Regardless of the names that a given framework might assign to the various steps, the goal of a framework is to provide security in the software development lifecycle. The failure to adopt a structured development model increases a product’s risk of failure, and it is likely that the final product will not meet the customer’s needs. Table 9.2 describes the stages of development and the activities that occur in each phase.

Project Initiation

The project initiation stage usually involves a meeting that includes everyone involved with the project to answer big questions like What are we doing? Why are we doing it? and Who is our customer? At this meeting, the feasibility of the project is considered. The cost of the project must be discussed, as well as the potential benefits that the product is expected to bring to the system’s users. A payback analysis should be performed to determine how long the project will take to pay for itself. In other words, the payback analysis determines how much time will lapse before accrued benefits overtake accrued and continuing costs.

If the decision is to move the project forward, the team should develop a preliminary timeline. Discussions should be held to determine the level of risk involved with handling data and to establish the ramifications of accidental exposure. This activity clarifies the precise type and nature of information that will be processed, as well as its level of sensitivity. This first look at security must be completed before the functional requirements and planning stage begins.

Functional Requirements and Planning

The functional requirements and planning phase is the time to fully define the need for the solution and map how the proposed solution meets the need. This stage requires the participation of management as well as users. Users need to identify requirements and desires they have regarding the design of the application. Security representatives must verify the identified security requirements and determine whether adequate security controls are being defined.

An entity relationship diagram (ERD) is often used to help map the identified and verified requirements to the needs being met. An ERD defines the relationship between the many elements of a project. An ERD is similar to a database, grouping together like data elements. Each entity has a specific attribute, called the primary key, which is drawn as a rectangular box containing an identifying name. Relationships, drawn as diamonds, describe how the various entities are related to each other.

Figure 9.1 shows the basic design of an ERD. An ERD can be used to help define a data dictionary. After the data dictionary is designed, the database schema is developed to further define tables and fields and the relationships between them. The completed ERD becomes the blueprint for the design and is referred to during the design phase.

Software Design Specifications

Detailed design specifications can be generated either for a program that will be created or in support of the acquisition of an existing program. All functions and operations are described during the software design specifications stage. Programmers design screen layouts and create process diagrams. Supporting documentation is also generated. The output of the software design specifications stage is a set of specifications that delineates the new system as a collection of modules and subsystems.

Scope creep—the expansion of the scope of the project—most often occurs during this stage. Small changes in the design can add up over time. Although little changes might not appear to have big costs or impacts on the schedule of a project, these changes can have a cumulative effect and increase both the length and cost of the project.

Proper detail at this stage plays a large role in the overall security of the final product. Security should be the focus here as controls are developed to ensure input, output, audit mechanisms, and file protection. Sample input controls include dollar counts, transaction counts, error detection, and correction. Sample output controls include validity checking and authorization controls.

Software Development and Build

During the software development and build stage, programmers work to develop the application code specified in the previous stage, as illustrated in Figure 9.2.

Programmers should strive to develop modules that have high cohesion and low coupling. Cohesion refers to the ability of a module to perform a single task with low input from other modules. Coupling refers to the interconnections or dependencies between modules. Low coupling means that a change to one module should not affect another, and the module has high cohesion.

This stage includes testing of the individual modules developed, and accurate results have a direct impact on the next stage: integrated testing with the main program. Maintenance hooks are sometimes used at this point in the process to allow programmers to test modules separately without using normal access control procedures. It is important that these maintenance hooks, also referred to as backdoors, be removed before the software code goes to production. Programmers might use online programming facilities to access the code directly from their workstations. Although this typically increases productivity, using online facilities and leaving maintenance hooks in place increases the risk that someone will gain unauthorized access to the program library.

Several types of controls should be built into a program during this stage:

• Preventive controls: These controls include user authentication and data encryption.

• Detective controls: These controls provide audit trails and logging mechanisms.

• Corrective controls: These controls add fault tolerance and data integrity mechanisms.

Three types of testing can be used to validate the security of the application:

• Unit testing: This type of testing examines an individual program or module.

• Interface testing: This type of testing examines hardware or software to evaluate how well data can be passed from one entity to another.

• System testing: This series of tests starts in this phase and continues into the acceptance testing phase. It includes recovery testing, security testing, stress testing, volume testing, and performance testing.

Acceptance Testing and Implementation

The acceptance testing and implementation stage, which occurs when the application coding is complete, should not be performed by the programmers who created the code. Instead, testing should be performed by test experts or quality assurance engineers. An important concept here is separation of duties. If the code were built and verified by the same individuals, errors might be overlooked, and security functions might be bypassed.

You need to conduct this stage of the SDLC even when acquiring software instead of building your own. If you acquire software, you must assess the security impact of the software. You should have in place a software assurance policy that defines the software acquisition process:

• Planning

• Procurement and contracting

• Implementation and acceptance

• Follow-on

Models vary greatly on specifically what tests should be completed and how much, if any, iteration is necessary within that testing. Table 9.3 lists some common types of acceptance and verification tests of which you should be aware.

When all pertinent issues and concerns have been worked out between the QA engineers, the security professionals, and the programmers, an application is ready for deployment.

Operations/Maintenance

During the operations/maintenance phase, an application is prepared for release into its intended environment. This is the final opportunity to assess the effectiveness of the software’s security. Logging ensures accountability and nonrepudiation, and it facilitates audits. Some guidelines and best practices for logging include NIST SP 800-92 and the Open Web Application Security Project (OWASP) Cheat Sheet on logging.

This is the stage where final user acceptance is performed, and any required certification and/or accreditation is achieved. It is also the stage at which management accepts the application and agrees that it is ready for use.

Certification requires a technical review of a system or an application to ensure that it does what it is supposed to do. Certification testing often includes an audit of security controls, a risk assessment, and/or a security evaluation. Typically, the results of certification testing are compiled into a report that becomes the basis for accreditation, which is management’s formal acceptance of a system or an application. Management might request additional testing, ask questions about the certification report, or simply accept the results. When the system or application is accepted, a formal acceptance statement is usually issued.

Operations management begins when an application is rolled out. Maintenance, support, and technical response must be addressed. Data conversion might also need to be considered. If an existing application is being replaced, data from the old application might need to be migrated to the new application. The rollout of the application might occur all at once or in a phased manner over time. Changeover techniques include the following:

• Parallel operation: The old and new applications are run simultaneously, with all the same inputs, and the results between the two applications are compared. Fine-tuning can be performed on the new application as needed. As confidence in the new application improves, the old application can be shut down. The primary disadvantage of this method is that both applications must be maintained for a period of time.

• Phased changeover: With a large application, a phased changeover might be possible. With this method, applications are upgraded one piece at a time.

• Hard changeover: This method establishes a date on which users are forced to change over. The advantage of a hard changeover is that it forces all users to change at once. However, it introduces a level of risk into the environment because things can go wrong.

Disposal

The disposal stage of the SDLC is reached when the application or system is no longer needed. Those involved in this stage of the process must consider how to dispose of the application securely, archive any information or data that might be needed in the future, perform disk sanitization (to ensure confidentiality), and dispose of equipment. This is an important step that is sometimes overlooked.

Development Methodologies

A crucial part of system development is finding a good framework and adhering to the process it entails. The sections that follow explain several proven software development processes. Each of these models involves a predictable lifecycle. Each model has strengths and weaknesses. Some work well when a time-sensitive or high-quality product is needed, whereas others offer greater quality control and can scale to very large projects.

The Waterfall Model

Probably the most well-known software development process is the waterfall model. This model, which was developed by Winston Royce in 1970, operates as the name suggests, progressing from one level down to the next. An advantage of the waterfall method is that it provides a sense of order and is easily documented.

The original waterfall model prevented developers from returning to stages once they were complete; the process flowed logically from one stage to the next. Modified versions of the model are common today, including the V-shaped methodology shown in Figure 9.3.

In the V-shaped model, instead of moving down only, the process steps are bent upward after the coding phase, to form the V shape for which the model is named. The V-shaped model requires testing during the entire development process. It is best used with projects that are small in scope. The primary disadvantage is that it does not work for large and complex projects because it does not allow for much revision.

The Spiral Model

In the spiral model, which was developed in 1988 by Barry Boehm, each phase starts with a design goal and ends with the client review. The client can be either internal or external and is responsible for reviewing progress. Analysis and engineering efforts are applied at each phase of the project.

An advantage of the spiral model is that it takes risk very seriously. Each phase of a project contains its own risk assessment, and each time a risk assessment is performed, the schedules and estimated cost to complete are reviewed, and a decision is made to continue or cancel the project. The spiral model works well for large projects. The disadvantage of this method is that it is much slower and takes longer to complete than the waterfall model. Figure 9.4 illustrates this model.

Joint Application Development (JAD)

Joint application development (JAD) is a process developed at IBM in 1977 that accelerates the design of information technology solutions. An advantage of JAD is that it helps developers work effectively with the users who will be using the applications developed. A disadvantage is that it requires users, expert developers, and technical experts to work closely together throughout the entire process. Projects that are good candidates for JAD have some of the following characteristics:

• Involve a group of users whose responsibilities cross department or division boundaries

• Are considered critical to the future success of the organization

• Involve users who are willing to participate

• Are developed in a workshop environment

• Use a facilitator who has no vested interest in the outcome

Rapid Application Development (RAD)

Rapid application development (RAD) is a fast application development process that delivers results quickly. RAD is not suitable for all projects, but it works well for projects that are on strict time limits. However, the decisions made quickly in RAD can lead to poor design and product. RAD is therefore not used for critical applications, such as shuttle launches. Two of the most popular RAD tools for Microsoft Windows are Delphi and Visual Basic.

Incremental Development

Incremental development is an approach that involves staged development of systems. Work is defined so that development is completed one step at a time. A minimal working application might be deployed, with subsequent releases to enhance functionality and/or scope.

Prototyping

Prototyping frameworks aim to reduce the time required to deploy applications. These frameworks use high-level code to quickly turn design requirements into application screens and reports that users can review. User feedback is gathered to fine-tune an application and improve it. Top-down testing works best with this development construct. Although prototyping clarifies user requirements, it also leads to the quick creation of a skeleton of a product with no guts surrounding it. Seeing complete forms and menus can confuse users and clients and lead to overly optimistic project timelines. Also, because change happens quickly, changes might not be properly documented, and scope creep might occur. Prototyping is often used for proprietary products being designed for specific customers.

Modified Prototype Model (MPM)

The modified prototype model (MPM) was designed to be used for web development. MPM focuses on quickly deploying basic functionality and then gathering user feedback to expand that functionality. MPM is especially useful when the final nature of the product is unknown.

Computer-Aided Software Engineering (CASE)

Computer-aided software engineering (CASE) enhances the SDLC by using software tools and automation to perform systematic analysis, design, development, and implementation of software products. The tools are useful for large, complex projects that involve multiple software components and lots of people. Its disadvantages are that it requires building and maintaining software tools and training developers to understand how to use the tools effectively. CASE can be used in the following cases:

• For modeling real-world processes and data flows through applications

• For developing data models to better understand processes

• For developing process and functional descriptions of models

• For producing databases and database management procedures

• For debugging and testing code

Agile Development Methods

Agile software development allows teams of programmers and business experts to work together closely.

According to the agile manifesto (see agilemanifesto.org):

We are uncovering better ways of developing software by doing it and helping others do it. Through this work, we have come to value:

• Individuals and interactions over processes and tools.

• Working software over comprehensive documentation.

• Customer collaboration over contract negotiation.

• Responding to change over following a plan.

Agile project requirements are developed using an iterative approach, and an agile project is mission driven and component based. Agile development may make use of an integrated product team (IPT), which is a multitalented group of people who are responsible for creating and delivering a specified process or product. IPTs should be formed to manage the development of individual product elements or sustainment processes. These teams should be empowered to make critical decisions. Popular agile development models include the following:

• Extreme programming (XP): The XP development model requires that teams include business managers, programmers, and end users. These teams are responsible for developing usable applications in short time frames. One potential problem with XP is that teams are responsible not only for coding but also for writing the tests used to verify the code. In addition, there is minimal focus on structured documentation, and XP does not scale well for large projects.

• Scrum: Scrum is an iterative development method in which repetitions referred to as sprints typically last 30 days each. Scrum is typically used with object-oriented technology and requires strong leadership and a team that can meet at least briefly each day. The planning and direction of tasks passes from the project manager to the team. The project manager’s main task is to work on removing any obstacles from the team’s path. The scrum development method owes its name to the team dynamic structure of rugby.

Maturity Models

The Capability Maturity Model (CMM) was designed as a framework for software developers to improve the software development process. It allows software developers to progress from an anything-goes type of development to a highly structured, repeatable process. As software developers grow and mature, their productivity increases, and the quality of their software products becomes more robust. Through the standardization activities of ISO 15504, the CMM officially became the Capability Maturity Model Integration (CMMI) in 2007. The CMMI includes five maturity levels, as shown in Table 9.4.

Carnegie Mellon University introduced the IDEAL model for software process improvement. It is a process-improvement and defect-reduction methodology. Table 9.5 outlines the maturity levels of the IDEAL model.

Scheduling

Scheduling involves linking individual tasks. The link relationships are based on earliest start date or latest expected finish date. Gantt charts provide a way to display these relationships.

The Gantt chart was developed in the early 1900s as a tool to assist the scheduling and monitoring of activities and progress. Gantt charts show the start and finish dates of each element of a project. Gantt charts also show the relationships between activities in a calendar-like format. They have become some of the primary tools used to communicate project schedule information. The baseline of a Gantt chart illustrates what will happen if a task is finished early or late.

Program evaluation and review technique (PERT) is the preferred tool for estimating time when a degree of uncertainty exists. PERT uses a critical path method that applies a weighted average duration estimate.

PERT uses probabilistic time estimates to create a three-point—best, worst, and most likely time—evolution of activities. The PERT weighted average is calculated as follows:

PERT weighted average = Optimistic time + 4 × Most likely time + Pessimistic time / 6

Every task branches out to three estimates:

• One: The most optimistic time in which the task can be completed.

• Two: The most likely time in which the task will be completed.

• Three: The worst-case scenario or longest time in which the task might be completed.

Change Management

Change management is a formalized process for controlling modifications made to systems and programs: analyze a request, examine its feasibility and impact, and develop a timeline for implementing the approved changes. The change management process provides all concerned parties with an opportunity to voice their opinions and concerns before changes are made. Although types of changes vary, change control follows a predictable process with the following typical steps:

1. Request the change.

2. Approve the change request.

3. Document the change request.

4. Test the proposed change.

5. Present the results to the change control board.

6. Implement the change, if approved.

7. Document the new configuration.

8. Report the final status to management.

DevOps is an example of a change management approach that uses agile principles. DevOps, which combines development and operations, includes the following elements:

• Testability: Develop/test against simulated production systems.

• Deployability: Deploy with automated processes that are iterative, repeatable, frequent, and reliable.

• Monitorability: Monitor the application to address issues early on.

• Modifiability: Allow for efficient feedback by creating effective communication channels.

Documentation is the key to a good change control process. Tracking should include receiving the request, evaluating the cost/benefit, and prioritizing the work of the developers and team. The system maintenance staff of the department requesting a change should keep a copy of that change’s approval. Without a change control process in place, there is significant potential for security breaches. The following are indicators of poor change control:

• There is no formal change control process in place.

• Changes are implemented directly by the software vendors or others without internal control; this can indicate a lack of separation of duties.

• Programmers place code in an application that is not tested or validated.

• A change that is made was not authorized by the change review board.

• The programmer has access to both the object code and the production library; this situation presents a threat because the programmer might be able to make unauthorized changes to production code.

• Version control is not implemented.

In some cases, such as emergency situations, a change might occur without going through the change control process. These emergencies typically are in response to situations that endanger production or could halt a critical process. If programmers are to be given special access or provided with an increased level of control, the security professional with oversight should make sure that checks are in place to track those programmers’ access and record any changes made.

Database Management

Databases are important to business and government organizations as well as to individuals because they provide a way to catalog, index, and retrieve related pieces of information and facts. These repositories of data are widely used. If you have booked a reservation on a plane, looked up the history of a used car you were thinking about buying, or researched the ancestry of your family, you have most likely used a database during your quest.

A database can be centralized or distributed, depending on the database management system (DBMS) that has been implemented. The DBMS allows the database administrator to control all aspects of the database, including design, functionality, and security. There are several popular types of database management systems:

• Hierarchical database management system: A hierarchical database links structures into a tree structure. Each record can have only one owner. Because of this, a hierarchical database often can’t be used to relate to structures in the real world.

• Network database management system: This type of database system was developed to be more flexible than a hierarchical DBMS. The network database model is referred to as a lattice structure because each record can have multiple parent and child records.

• Relational database management system: A relational database consists of a collection of tables linked to each other by their primary keys. Many organizations use this model. Most relational databases use SQL as their query language. A relational DBMS (RDBMS) is a collection based on set theory and relational calculations. This type of database groups data into ordered pairs of relationships (each pair consisting of a row and column) known as a tuple. The majority of modern databases are relational.

• Object-relational database system: This type of database system is similar to an RDBMS but is written in an object-oriented programming language. This allows it to support extensions to the data model and to be a middle ground between relational databases and object-oriented databases.

Database Terms

In case you are not familiar with the world of databases, this section provides a review of some common database-related terms that security professionals should be familiar with (see Figure 9.6):

• Aggregation: The process of combining several low-sensitivity items and drawing medium- or high-sensitivity conclusions.

• Inference: The process of deducing privileged information from available unprivileged sources.

• Attribute: A characteristic about a piece of information. Where a row in a database table represents a database object, each column in that row represents an attribute of that object.

• Field: The smallest unit of data within a database.

• Foreign key: An attribute in one table that cross-references to an existing value that is the primary key in another table.

• Granularity: Refers to the level of control a program has over the view of the data that someone can access. Highly granular databases make it possible to restrict views, according to the user’s clearance, at the field or row level.

• Relation: A defined interrelationship between the data elements in a collection of tables.

• Tuple: A record used to represent a relationship among a set of values. In an RDBMS, a tuple identifies a column and a row.

• Schema: The totality of the defined tables and interrelationships for an entire database, which defines how the database is structured.

• Primary key: A key that uniquely identifies each row and assists with indexing a table.

• View: The database construct that an end user can see or access.

Integrity

The integrity of data refers to its accuracy. To protect the integrity of the data in a database, specialized controls are used, including rollbacks, checkpoints, commits, and savepoints. There are two types of data integrity:

• Semantic integrity: Assures that the data in any field is of the appropriate type. Controls that check for the logic of data and operations affect semantic integrity.

• Referential integrity: Assures the accuracy of cross-references between tables. Controls that ensure that foreign keys only reference existing primary keys affect referential integrity.

Transaction Processing

Transaction management is critical in assuring integrity. Without proper locking mechanisms, multiple users could be altering the same record simultaneously, and there would be no way to ensure that transactions were valid and complete. This is especially important with online systems that respond in real time. These systems, known as online transaction processing (OLTP) systems, are used in many industries, including banking, airlines, mail order, supermarkets, and manufacturing. Programmers involved in database management use the ACID test when discussing whether a database management system has been properly designed to handle OLTP:

• Atomicity: Results of a transaction are either all or nothing.

• Consistency: Transactions are processed only if they meet system-defined integrity constraints.

• Isolation: The results of a transaction are invisible to all other transactions until the original transaction is complete.

• Durability: Once a transaction is complete, the results of the transaction are permanent.

Database Vulnerabilities and Threats

Protecting databases is not an easy task. Database attacks are some of the most common attack vectors, and SQL injection has topped the OWASP list for more than 10 years. Many database security issues are directly attributed to poor development practices. As a security professional, you should understand the following common vulnerabilities and threats:

• SQL injection: This type of attack, typically caused by unsanitized input, allows the attacker to inject a SQL query via the input data from the client to the application.

• Default, blank, or weak passwords: Authentication credentials should be strong, and all weak and blank passwords removed.

• Extensive privileges: The level of access provided should be only what’s needed to do the task. Administrator privileges should not be provided.

• Broken configuration management: Active measurement of the environment is required to detect undocumented changes, which typically reduce security.

• Enabled features that are not needed: It is important to remove, block, and disable all features that are not needed. Reducing the attack surface makes it harder for an attacker to succeed.

• Privilege escalation: This is a vulnerability in which an attacker gains an additional level of access.

• Denial of service (DoS): A DoS attack may not give the attacker access, but it can disrupt normal operations and block others from accessing the database.

• Unpatched database: Unpatched systems are common vulnerabilities. Patching is a key component of security.

• Unencrypted sensitive data: Encryption is one of the key controls to protecting sensitive data.

• Buffer overflow: This is yet another common vulnerability. All data should have proper input validation done to ensure that the data is formatted correctly and with normal bounds of operation. (Buffer overflows are discussed later in this chapter.)

Artificial Intelligence and Expert Systems

An expert system is a computer program that contains a knowledge discovery database, a set of rules, and an inference engine. This data mining technique can be used to discover nontrivial information and extract knowledge from a large amount of data. At the heart of such a system is the knowledge base—a repository of information against which the rules are applied.

Expert systems are typically designed for specific purposes and have the capability to infer. For example, a hospital might have a knowledge base that contains various types of medical information; if a doctor enters the symptoms weight loss, emotional disturbances, impaired sensory perception, pain in the limbs, and periods of irregular heart rate, the expert system can scan the knowledge base and diagnose the patient as suffering from beriberi.

The challenge in the creation of knowledge bases is to ensure that their data is accurate, that access controls are in place, that the proper level of expertise was used in developing the system, and that the knowledge base is secured.

Neural networks are networks that are capable of learning new information (see Figure 9.7). Artificial intelligence (AI) is possible thanks to the combination of expert systems and neural networks. Neural networks make use of multiple levels of nodes to filter data and apply weights; they mimic processes used by the human brain. Eventually, an output is triggered, and a fuzzy solution is provided. It’s called a fuzzy solution because it can lack exactness.

Programming Languages, Secure Coding Guidelines, and Standards

Programming languages permit the creation of instructions that a computer can understand. The types of tasks that get programmed and the instructions or code used to create a program depend on the nature of the organization. Programming has evolved through five generations of languages, as illustrated in Figure 9.8 and described in the list that follows:

• Generation 1: Machine language, the native language of a computer, consisting of binary ones and zeros.

• Generation 2: Assembly language, human-readable notation that translates easily into machine language.

• Generation 3: High-level programming language. The 1960s through the 1980s saw the emergence and growth of many third-generation languages (3GLs), such as Fortran, COBOL, C+, and Pascal.

• Generation 4: Very high-level language. This generation of languages grew from the 1970s through the early 1990s. Fourth-generation languages (4GLs), such as SQL, are typically used to access databases.

• Generation 5: Natural language. Fifth-generation languages (5GLs) took off in the 1990s and were considered the wave of the future. 5GLs are categorized by their use of inference engines and natural language processing. Mercury and Prolog are two examples of fifth-generation languages.

After the code is written, it must be translated into a format that the computer will understand. These are the three most common methods:

• Assembler: An assembler translates assembly language into machine language.

• Compiler: A compiler translates a high-level language into machine language.

• Interpreter: Instead of compiling an entire program, an interpreter translates a program line by line. Interpreters have a fetch-and-execute cycle. An interpreted language is much slower to execute than a compiled or assembled program, but it does not need a separate compilation or assembly step.

Hundreds of different programming languages exist. Many have been written for specific niches or to meet market demands. The following are some examples of common programming languages:

• ActiveX: This language provides a foundation for higher-level software services, such as transferring and sharing information among applications. ActiveX controls are a Component Object Model (COM) technology. COM is designed to hide the details of an individual object and focus on the object’s capabilities. An extension to COM is COM+.

• C, C+, C++, and C#: The C programming language, which replaced B, was designed by Dennis Ritchie. C was originally designed for UNIX and is very popular and widely used. From a security perspective, some C functions are known to be susceptible to buffer overflows.

• HTML: Hypertext Markup Language (HTML) is a markup language that is used to create web pages.

• Java: This is a general-purpose computer programming language, developed in 1995 by Sun Microsystems.

• Visual Basic: This programming language was designed to be used by anyone and enables rapid development of practical programs.

• Ruby: This object-oriented programming language was developed in the 1990s for general-purpose use. It has been used in the development of such projects as Metasploit.

• Scripting languages: A scripting language is a type of programming language that is usually interpreted rather than compiled and allows some control over a software application. Perl, Python, and Java are examples of scripting languages.

• XML: Extensible Markup Language (XML) is a markup language that specifies rules for encoding documents. XML is widely used on the Internet.

Object-Oriented Programming

Multiple development frameworks have been created to assist in defining, grouping, and reusing both code and data. Methods include data-oriented system programming, component-based programming, web-based applications, and object-oriented programming. Of these, the most commonly deployed is object-oriented programming (OOP), an object technology that grew from modular programming. OOP allows a programmer to reuse and interchange code between programs in modular fashion without starting over from scratch. It has been widely embraced because it is efficient and results in relatively low programming costs. Because OOP makes use of modules, a programmer can easily modify an existing program. Java and C++ are two examples of OOP languages.

In OOP, objects are grouped into classes, and all objects in a class share a particular structure and behavior. Characteristics from one class can be passed down to another through the process of inheritance. OOP relies on the following concepts:

• Encapsulation: This is the process of hiding the functionality of an object inside that object or, for a process, hiding the functionality inside that process’s class. Encapsulation permits a developer to keep information disjointed—that is, to separate distinct elements so that there is no direct unnecessary sharing or interaction between the various parts.

• Polymorphism: In general, polymorphism means that one thing has the capability to take on many appearances or make copies of itself. In OOP, polymorphism is used to invoke a method on a class without needing to care about how the invocation is accomplished. Likewise, the specific results of the invocation can vary because objects have different variables that respond differently.

• Polyinstantiation: In general, polyinstantiation means that multiple instances of information are being generated. Polyinstantiation is used in many settings. For example, polyinstantiation is used to display different results to different individuals who pose identical queries on identical databases, due to those individuals possessing different security levels. It is widely used by the government and military to unify information bases while protecting sensitive or classified information. Without polyinstantiation, an attacker might be able to aggregate information from various sources to mount an inference attack and determine secret information. Initially, a piece of information by itself appears useless, like a piece to a puzzle, but when you put together several pieces of the puzzle, you begin to form an accurate picture.

Object-oriented design (OOD) is used to bridge the gap between a real-world problem and a software solution. OOD modularizes data and procedures, making it possible to provide a detailed description of how a system is to be built. Object-oriented analysis (OOA) and OOD are sometimes combined as object-oriented analysis and design (OOAD).

CORBA

Functionality that exists in a different environment from your code can be accessed and shared using vendor-independent middleware known as Common Object Request Broker Architecture (CORBA). CORBA’s purpose is to allow different vendor products, such as computer languages, to work seamlessly across distributed networks of diversified computers. The heart of the CORBA system is the Object Request Broker (ORB), which simplifies the process of requesting server objects for clients. The ORB locates a requested object, transparently activates it as necessary, and then delivers the requested object to the client.

Security of the Software Environment

The security of software is a critical concern. Protection of the confidentiality, integrity, and availability of data and program variables is one of the top concerns of a security professional. During the software design phase, you should consider risk analysis and mitigation. It’s critical that the software development team identify, understand, and mitigate any risks that might make the organization vulnerable. Total risk refers to the probability and size of a potential loss. Every development project has elements of risk. For example, in an application that will deal with order quantities, the numbers should be positive; if you made it possible for someone to order negative 17 of an item, you would face added risk. Sanitizing inputs and outputs to allow only qualified values reduces the attack surface. Think of the attack surface as all of the potential ways in which an attacker can attack the application. Integrity of your code can be verified with hashing tools such as MD5sum or SHA1sum.

A vulnerability is a flaw, loophole, or weakness in an application that leads it to process critical data insecurely. A threat actor who can exploit vulnerabilities can gain access to software. Some common software vulnerabilities include escalation of privileges, buffer overflow, SQL injection, cross-site request forgery (CSRF), and cross-site scripting (XSS). It is important to remember that fixing security weaknesses and vulnerabilities at the source code level is much cheaper than waiting until later in the process. Penetration testing and fuzzing are much more expensive than fixing a vulnerability before the build process is complete.

Threat modeling is another technique that can be used to reduce risk and calculate the attack surface. Threat modeling details the potential attacks, targets, and any vulnerabilities of an application. It can also help determine the types of controls needed to prevent an attack. For example, when you enter an incorrect username or password, do you get a generic response, or does the application respond with too much data, as shown in Figure 9.9? Just keep in mind that the best practice from a security standpoint is to not identify which entry was invalid and provide only a generic message.

A security professional should also consider the following:

• What is the software environment? Where is the software used? Is it on a mainframe, or maybe a publicly available website? Is the software run on a server, or is it downloaded and executed on the client (mobile code)?

• What programming language and toolset were used? Some languages, such as C, are known to be vulnerable to buffer overflows.

• What security issues and concerns are present in the source code? Depending on how the code is processed, it may or may not be easy to identify problems. For example, a compiler translates a high-level language into machine language, whereas an interpreter translates the program line by line. It is important to determine whether an attacker can change input, process, or output data and whether the program will flag on these errors.

• How do you identify malware and defend against it? At a minimum, malware protection (antivirus) software needs to be deployed and methods to detect unauthorized changes need to be implemented.

A risk assessment should be conducted for all application programming interfaces (APIs). Fuzz testing can be used to validate security controls and reduce the attack surface. APIs use function calls and offer developers the ability to bypass traditional web pages and interact directly with the underlying service. This type of functionality also comes with risk. Simple Object Access Protocol (SOAP) and Representational State Transfer (REST) are examples of API styles. REST is an architectural style and uses uniform service locators. SOAP is a protocol and uses service interfaces. It is a standardized protocol that aids in sending messages using other protocols, such as HTTP and SMTP. REST was created to address the problems of SOAP. Three methods of authentication for RESTful APIs include the following:

• Basic: This method provides the lowest security. Basic authentication should not be used.

• OAuth 1.0a: This method is a secure but complicated process.

• OAuth 2.0: This method is similar to OAuth 1.0a but is less complex and lacks a signature.

Security doesn’t stop after the software development process. The longer a program has been in use, the more vulnerable it becomes as attackers have more time to probe and explore methods to exploit it. Attackers might even analyze patches to determine what the patches are trying to fix and figure out how such vulnerabilities might be exploited.

Security professionals need to do proper planning for timely patch and update deployment. A patch is a fix to a particular problem in software applications or operating system code that does not create a security risk but does create problems with the application. A hot fix is quick but lacks full integration and testing, and it addresses only a specific issue. A service pack is a collection of all the patches to date; it is considered critical and should be installed as soon as possible.

Mobile Code

Mobile code, which is widely used on the web, is software that will be downloaded from a remote system and run on the computer performing the download. The security issue with mobile code is that it is executed locally. Many times, the user might not even know that the code is executing. Examples of mobile code include scripts, VBScript, applets, Flash, Java, and ActiveX controls. With mobile code, the downloaded program runs with the access rights of the logged-in user.

Java is the dominant programming language of mobile code. It is a compiled high-level language that can be used on any type of computer. It uses a sandbox security scheme. Java is extremely portable because the output of the Java compiler is not executable code but bytecode. Bytecode is a type of instruction set designed for efficient execution by a software interpreter to be executed by the Java runtime system, which is called the Java Virtual Machine (JVM).

A Java applet is a specific type of Java program that is designed to be transmitted over the Internet and automatically executed by a Java-compatible web browser, such as Edge, Firefox, Chrome, or Safari. The security issue with applets is that they are downloaded on demand, without further interaction with the user.

Buffer Overflow

A buffer is a temporary data storage area whose length and type are defined in the program code that creates it or by the operating system. Buffer overflows occur when programmers use unsecured functions or don’t enforce limits on buffers—basically, when programmers do not practice good coding techniques. For example, a program should check for and prevent any attempt to stuff 32 letters into a buffer intended for 24 digits. However, this type of error checking does not always occur, and attackers commonly use buffer overflows to gain access to systems and/or for privilege escalation. Attackers can use unprotected buffers to attempt to inject and run malicious code. Worse, if the original code executed has administrator or root rights, those privileges are granted to the attacker as well. In such a case, the attacker can gain access to a privileged command shell on the system that is under attack. When this occurs, the attacker has complete control.

Buffer overflows are a huge problem, and any hacker, ethical or not, is going to search for them. The best way to prevent buffer overflows is to have perfect programs. Because that is not possible, you can implement some compensating controls:

• Audit the code: The individuals who write code should not be the ones auditing that code. Manual audits should be performed by a different group of individuals who are trained to look for poorly written code and potential security problems. Although audits are effective, they can be expensive and time-consuming with large, complex programs.

• Use safer functions: Some programming languages offer more support against buffer overflows than C. If C is going to be used, ensure that safer C library support is used.

• Improved compiler techniques: Compilers such as Java automatically check whether a memory array index is working within the proper bounds.

• Harden the stack: Buffer overflows lead to overwrites of code and pointers in the program’s stack space, which holds the code and predefined variables. This overwriting is called “smashing the stack” (see insecure.org/stf/smashstack.html). However, products such as StackGuard and Visual Basic have evolved special guard buffers called canaries that are compiled into code. A canary is a protected zone that is added between chunks of stack code. The code’s execution is immediately halted if a canary is breached in a stack smashing attempt. Such techniques are not 100% effective and might still be vulnerable to heap overflows.

Financial Attacks

A large number of the attacks that occur today are perpetrated for financial reasons. One example is rounding-down attacks, which involve skimming off small amounts of money by rounding down the last few digits. With a bank account that has $8,239,128.45 in it, and an attacker might round down the amount to $8,239,128.40. A salami attack is similar; it involves slicing off small amounts of money so that the last few digits are truncated. For example, $8,239,128.45 would become $8,239,128. Both rounding and salami attacks take advantage of the fact that small amounts will not be missed and that over time the pennies will add up to big profits for the attacker. (When you take a break from studying, check out the 1999 movie Office Space to see a good example of an attempted salami attack.)

An attacker might even plant code with the thought of waiting until a later date to have it execute. This is called a logic bomb, and while logic bombs are not just for financial attacks, they can cause a great deal of damage. A logic bomb can be designed to detonate on some predetermined action or trigger. Because they are buried so deep in the code, logic bombs are difficult to discover or detect before they become active. Fired employees might use them to strike back at their former employer.

Change Detection

Hashing can enable a security professional to detect malicious code and is commonly used as an indicator of compromise (IOC). IOCs are simply pieces of forensic data, such as changed hashes, entries found in system log entries or other items that identify potentially malicious activity. Hash-based application verification ensures that an application has not been modified or corrupted; it does so by comparing the file’s hash value to a previously calculated value, and if these values match, the file is presumed to be unmodified.

Change detection is another useful technique. Change detection software, such as Tripwire, detects changes to system and configuration files. Most of these programs work by storing a hashed value of the original file in a database. Periodically, the file is rechecked, and the hashed values are compared. If the two values do not match, the program can trigger an alert to signal that there might have been a compromise. Change detection combined with other technologies such as SIEM, IDP, and end point protection forms the basics of cyber security controls.

Hashed values are the most widely used mechanisms for detecting changes in files. Most software vendors provide Web-accessible summaries that list the fingerprints of all files included in their products. This gives users a way to ensure that they have authentic files.

Viruses and Worms

Malware has been around since the dawn of the computer era. Two common types of malware are viruses and worms. Some viruses and worms can spread quickly, and others spread slowly. Fast-infection viruses infect all files that they are capable of infecting. On the other hand, sparse infectors have more limited rates of spread. Viruses operate as file infection, macro, polymorphic, multipartite, and fileless infectors. Fileless malware emerged in 2017 and can execute in one of several ways including windows registry manipulation, memory code injection, and script-based techniques. Typically, fileless malware is written directly to the RAM, and executes from memory. Petya and WannaCry both used fileless techniques as part of their cyber kill chains.

Sometimes a virus is not malware at all and just simply a hoax. While not a true virus, a meme virus spreads like one and is basically a chain letter or email message that is continually forwarded.

Worms, unlike viruses, require no interaction on the user’s part to replicate and spread. One of the first worms to be released on the Internet was the RTM worm. It was developed by Robert Morris Jr. in 1988 and was meant only to be a proof of concept. The goals of worms and even malware in general now tend to be much more specific. For example, Stuxnet was developed to target programmable logic controllers (PLCs) that control the automation of centrifuges used for separating nuclear material.

Traditionally, antivirus contains a library of signatures that it uses to detect viruses. A signature identifies a pattern of bytes found in the virus code. Here is an example of a virus signature:

X5O!P%@AP[4PZX54(P^)7CC)7$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

This file is actually harmless, but it contains a signature like one found in a classic virus. This particular sequence was developed by the European Institute of Computer Anti-Virus Research (EICER) as a means of testing the functionality of antivirus software.

Next-generation antivirus goes beyond malware signatures and heuristics and uses predictive analytics driven by machine learning and artificial intelligence combined with threat intelligence. Next-generation antivirus can be used to prevent many types of known and unknown malware by monitoring; responding to attacker tactics, techniques, and procedures (TTPs); and examining patterns and activities associated with specific threat actors. These techniques along with advances in User Behavior Analytics (UBA) have changed the threat and defense landscape. UBA is the use of machine learning to model the behavior of legitimate users on corporate networks to detect anonymous behavior that could be the sign of a cyberattack.

Exam Prep Questions

1. As a security professional, you must understand the different types of application updates. All updates should be obtained from the manufacturer only and deployed into production only after being tested on non-production systems. Which of the following is the best answer that describes updates, patches, hot fixes, and service packs?

A. A hot fix has undergone full integration testing, has been released to address vulnerability, and addresses a specific issue; in most cases, a hot fix is not appropriate for all systems. A security patch lacks full integration and testing, has been released to address a vulnerability, and is mandatory. A service pack is a collection of patches that are critical and should be installed quickly.

B. A hot fix is quick, lacks full integration and testing, and addresses a specific issue; in most cases, a hot fix is not appropriate for all systems. A security patch is a collection of fixes that are critical and has been released to address a vulnerability. A service pack is a collection of patches and is considered critical.

C. A hot fix is a quick collection of critical, install-ASAP patches that address a specific issue; in most cases, a hot fix is not appropriate for all systems. A security patch has undergone full integration testing and has been released to address a vulnerability. A service pack is a collection of patches.

D. A hot fix is slow, has full integration and testing, and addresses a broad set of problems; in most cases, a hot fix is appropriate for all systems. A security patch is a collection of fixes that are not critical. A service pack is a collection of patches and is not considered critical.

2. Which of the following describes the CIA triad when applied to software security?

A. Confidentiality prevents unauthorized access, integrity prevents unauthorized modification, and availability deals with countermeasures to prevent denial of service to authorized users.

B. Confidentiality prevents unauthorized modification, integrity prevents unauthorized access, and availability deals with countermeasures to prevent denial of service to authorized users.

C. Confidentiality prevents unauthorized access, integrity prevents unauthorized modification, and availability deals with countermeasures to prevent unauthorized access.

D. Confidentiality deals with countermeasures to prevent denial of service to authorized users, integrity prevents unauthorized modification, and availability prevents unauthorized access.

3. Which of the following tools can be used for change detection?

A. DES

B. Checksums

C. md5sum

D. Parity bits

4. Bob has noticed that when he inputs too much data into his new Internet application, it momentarily locks up the computer and then halts the program. Which of the following best describes this situation?

A. Fail-safe

B. Buffer overflow

C. Fail-open

D. Fail-soft

5. Which of the following types of database management systems is considered a lattice structure, with each record having multiple parent and child records?

A. Hierarchical database management system

B. Network database management system

C. Object-oriented database management system

D. Relational database management system

6. Which database term refers to the capability to restrict certain fields or rows from unauthorized individuals?

A. Low granularity

B. High resolution

C. High granularity

D. Low resolution

7. Which of the following types of testing involves entering malformed, random data?

A. XSS

B. Buffer overflow

C. Fuzzing

D. Whitebox testing

8. OmniTec’s new programmer has left several entry points in its new e-commerce shopping cart program for testing and development. Which of the following terms best describes these entry points?

A. Trojan

B. Security flaws

C. SQL injections

D. Backdoor

9. What type of languages are Generation 2 programming languages?

A. Assembly

B. Machine

C. High level

D. Natural

10. Which of the following is considered middleware?

A. Atomicity

B. OLE

C. CORBA

D. Object-oriented programming

11. After Debbie becomes the programmer for the new payroll application, she places some extra code in the application that will cause the program to halt if she is fired and her name is removed from payroll. What type of attack has she launched?

A. Rounding down

B. Logic bomb

C. Salami

D. Buffer overflow

12. While working on a penetration test assignment, you discover that the organization’s database-driven e-commerce site will let you place a negative quantity into an order field so that the system will credit you money. Which of the following best describes this failure?

A. Referential integrity error

B. Buffer overflow

C. Semantic integrity error

D. Rounding down

13. Which of the following best describes bytecode?

A. It is processor specific.

B. It is used with ActiveX.

C. It is not processor specific.

D. It is used with COM and DCOM.

14. Which of the following is one of the best ways to deal with attacks like SQL, LDAP, and XML injection attacks?

A. Using type-safe languages

B. Manually reviewing code

C. Using emanations

D. Performing adequate parameter validation

15. Say that there are two objects, and neither of them knows how the other object works. The two objects are hidden from each other. Which of the following programming techniques would this scenario be most closely associated with?

A. Data modeling

B. Network database management system

C. Object-oriented programming

D. Relational database management system

Answers to Exam Prep Questions

1. B. A hot fix is quick, lacks full integration and testing, and addresses a specific issue; in most cases, a hot fix is not appropriate for all systems. A security patch is a collection of fixes that are critical and has been released to address a vulnerability. A service pack is a collection of patches and is considered critical. Answers A, C, and D are all incorrect because the definitions are swapped and connected to the wrong solutions. Software updates are optional and are usually functionality, not security, related. Firmware releases are produced to address security issues with hardware.

2. A. Confidentiality prevents unauthorized access, integrity prevents unauthorized modification, and availability deals with countermeasures to prevent denial of service to authorized users. Answers B, C, and D are incorrect and are just scrambled definitions that look similar to confuse the test taker.

3. C. One of the ways in which malicious code can be detected is through the use of change detection software. This software has the capability to detect changes to system and configuration files. Popular programs that perform this function include Tripwire and md5sum. Answer A is incorrect because DES is an asymmetric algorithm. Answers B and D are incorrect because both checksums and parity bits can be easily changed and, therefore, do not protect the software from change.

4. D. A fail-soft occurs when a detected failure terminates the application while the system continues to function. Answers A and C are incorrect because a fail-safe terminates the program and disables the system, while a fail-open is the worst of events because it allows attackers to bypass security controls and easily compromise the system. Answer B is incorrect because although a buffer overflow could be the root cause of the problem, the question asks why the application is halting in the manner described.

5. B. Network database management systems are designed for flexibility. The network database model is considered a lattice structure because each record can have multiple parent and child records. Answer A is incorrect because hierarchical database management systems are structured like a tree: Each record can have only one owner, and because of this restriction, hierarchical databases often can’t be used to relate to structures in the real world. Answer C is incorrect because object-oriented database management systems are not lattice based and don’t use a high-level language like SQL. Answer D is incorrect because relational database management systems are considered collections of tables that are linked by their primary keys.

6. C. Granularity refers to control over the view someone has of a database. With highly granular databases, it is possible to restrict certain fields or rows from unauthorized individuals. Answer A is incorrect because low granularity gives a database manager little control. Answers B and D are incorrect because high resolution and low resolution do not apply to the question.

7. C. Fuzzing is a form of blackbox testing that involves entering random input and monitoring for flaws or a system crash. The idea is to look for problems in the application. Answers A, B, and D are incorrect: This is not an example of whitebox testing, a buffer overflow, or XSS.

8. D. A backdoor is a technique used by programmers as a secret entry point into a program. Programmers find them useful during application development; however, they should be removed before the code is finalized. All other answers are incorrect: Answer B is also a security flaw, but it is not as specific as trapdoor; Trojans (answer A) are malicious in nature and pretend to be something they are not; and SQL injection (answer C) is targeted against databases.

9. A. Programming languages are categorized as follows: Generation 1 is machine language, Generation 2 is assembly language, Generation 3 is high-level language, Generation 4 is very high-level language, and Generation 5 is natural language.

10. C. Common Object Request Broker Architecture (CORBA) is vendor-independent middleware. Its purpose is to tie together different vendor products so that they can seamlessly work together over distributed networks. Answer B is incorrect because Object Linking and Embedding (OLE) is a proprietary system developed by Microsoft to allow applications to transfer and share information. Answer A is incorrect because atomicity deals with the validity of database transactions. Answer D is incorrect because object-oriented programming is a modular form of programming.

11. B. A logic bomb is designed to detonate sometime later, typically after the perpetrator leaves; it is usually buried deep in the code. Answers A, C, and D are incorrect: Rounding down involves skimming off small amounts of money by rounding down the last few digits; a salami attack involves slicing off small amounts of money so that the last few digits are truncated; and buffer overflow involves putting more information in a buffer than it is intended to hold.

12. C. Semantic integrity controls logical values, data, and operations that could affect them, such as placing a negative number in an order quantity field. Answers A, B, and D are incorrect: Referential integrity ensures that foreign keys only reference existing primary keys; buffer overflow involves putting more information in a buffer than it is intended to hold; and rounding down involves skimming off small amounts of money by rounding down the last few digits.

13. C. Bytecode is not processor specific and is a form of intermediate code used by Java. Answers A, B, and D are incorrect: Bytecode is not processor specific and can run on many systems; bytecode is not associated with ActiveX; and COM and DCOM are technologies associated with ActiveX.

14. D. Adequate parameter validation is seen as the best approach to dealing with input problems. All data must be checked for validity when input, when processed, and when output. Answers A, B, and C are incorrect: Moving to a type-safe language does not prevent buffer overflows; although manual review of code may find some problems, this might not always be possible; and switching to mobile code is not feasible in all situations.

15. C. Object-oriented development allows an object to hide the way an object works from other objects. Answers A, B, and D are incorrect: Data modeling considers data independently, network database management systems are designed for flexibility, and relational database management systems are considered collections of tables that are linked by their primary keys.

Need to Know More?

Building security software: www.owasp.org/index.php/OWASP_Guide_Project

Assessing security of acquired software: www.delltechnologies.com/en-us/blog/assessing-security-acquired-software-one-size-fit/

Six steps to change management: www.techrepublic.com/article/implement-change-management-with-these-six-steps/5074869

Object-oriented programming: encyclopedia2.thefreedictionary.com/Object-oriented+programming

Development methodologies: www.synopsys.com/blogs/software-security/top-4-software-development-methodologies/

Maturity models: www.process.st/maturity-model/

Change management: www.prosci.com/resources/articles/what-is-change-management

Security of code repositories: https://blog.cyberint.com/what-you-need-to-know-about-code-repository-threats

The history of SQL injection attacks: motherboard.vice.com/read/the-history-of-sql-injection-the-hack-that-will-never-go-away

SQL injection and database manipulation: www.securiteam.com/securityreviews/5DP0N1P76E.html

Secure coding practices: https://wiki.sei.cmu.edu/confluence/display/seccode/Top+10+Secure+Coding+Practices