Chapter 11: Managing Application Security

One of the main tasks that the cybersecurity team deals with is the management of applications used within the company, to ensure that they have no vulnerabilities and have been hardened. In this chapter, you will learn to deploy and manage applications effectively and select the appropriate development life cycle. You will learn about secure coding techniques, quality control, and testing. Let's begin by looking at implementing hosts and ensuring that they are secure before rolling them out.

In this chapter, we will cover the following topics:

• Implementing Host or Application Security
• Understanding the Security Implications of Embedded and Specialist Systems
• Understanding Secure Application Development, Deployment, and Automation

Implementing Host or Application Security

Within an organization, we use laptops, desktops, servers, and mobile devices such as tablets that can be used externally in unsecured environments such as hotels and airports. We therefore need to harden endpoints and their Operating System (OS) to ensure that they are as secure as we can possibly make them. There are various aspects that we need to look at, depending on the functionality of the device and where it is used. Let's look at all of the aspects that we need to take into consideration, starting with a system booting up.

Boot Integrity

When hosts are booting up, we need to ensure that they are protected as much as possible. We rely on them for being able to boot up securely before they are fully operational, and all of their protections are in place. We will now look at the UEFI and boot attestation:

• Unified Extensible Firmware Interface (UEFI): The UEFI is a modern version 
of the Basic Input/Output System (BIOS) that is more secure and is needed for a secure boot of the OS. The older BIOS cannot provide a secure boot.
• Early Launch Anti-Malware: In a Windows computer, early launch anti-malware tests all drivers that are being loaded and prevents rogue drivers from loading.
• Measured Boot: This was first adopted with Microsoft Windows 8, where all components from the firmware up to the applications and software are measured and stores this information in a log file. This log file is then stored in the Trusted Platform Module (TPM) chip on the motherboard. Anti-malware can use this information to ensure that when the system boots up, the software is trustworthy. This log can be sent to a remote server that can assess the health status of the host.
• Secure Boot and Attestation: OSes such as Windows 10 can perform a secure boot at startup where the OS checks that all of the drivers have been signed. If they have not, the boot sequence fails as the integrity of the system has been compromised. This can be coupled with attestation, where the integrity of the software has been confirmed. An example of this would be using FDE, such as BitLocker, to ensure that the software has not been tampered with. The BitLocker keys are stored on a TMP chip on the motherboard.

  Example: Your company is a multinational company that requires an OS that can be used by both desktops and laptops and can provide both secure booting and attestation. You would most likely use Microsoft Windows 10, which can provide secure booting and BitLocker to carry out system attestation.

Endpoint Protection

It is important that the endpoints are protected from an attack. Let's look at each of the endpoint protections in turn, starting with anti-virus:

• Anti-Virus: Anti-Virus monitors websites that are being visited and the files that are being downloaded to ensure that they are not affected by viruses or trojans. Most modern anti-virus solutions have the ability to carry out the role of anti-malware.
• Anti-Malware: Anti-malware scans your computer for adware and spyware, and prevents malicious software from running. These cannot be detected by anti-virus programs.
• Endpoint Protection and Response (EDR): An EDR is an advanced solution that is better than anti-virus or anti-malware. It is a centralized console that continuously monitors the computer, and makes automatic alerts when a threat has been detected. It uses machine learning to detect threats and has the ability to detect file-less viruses.
• Data Loss Prevention (DLP): An endpoint DLP solution can be set up so that it can protect data on your computer from being stolen by using email or a USB drive. DLP can also protect any data that has a pattern match, such as PII information or sensitive data.

  Example: I have a file called new business contacts and I want to ensure that it cannot be stolen. It does not have a pattern match. However, I can use the DLP solution, select the file, and a pattern match will be assigned to the file. When someone tries to email the file, it will be blocked by the DLP system.

• Next-Generation Firewall (NGFW): An NGFW is more than a traditional firewall. It has the ability to act as a stateful firewall by carrying out deep packet filtering. It can also inspect application traffic to ensure that it is legitimate and use whitelisting to ensure that only approved applications are allowed to run. It can also act as an intrusion prevention device protecting against an attack, and it can inspect encrypted SSL and HTTPS packets.
• Host Intrusion Prevention System (HIPS): An HIPS is a software program that can be installed on a host to protect it against attack. It analyzes the behavior of a computer and looks for any suspicious behavior in log files and memory and takes the appropriate action to prevent attacks such as malware.
• Host Intrusion Detection System (HIDS): An HIDS, by its very nature, is a passive device that monitors patterns in the behaviour of a computer system. The HIDS uses a database that contains the settings for the computer, including the registry, critical system files, applications, and components. Its function is to alert the user to any discrepancies or attacks.
• Host-Based Firewall: A host-based firewall can be used to prevent unauthorized access to the desktop and can set up permitted rules for approved applications. The firewall in the following screenshot allows anti-virus updates, checkpoints, VPN, DNS name resolution, Firefox, and Java:

Figure 11.1 – Host-based firewall

The firewall acts as an additional layer of protection to the computer by controlling the traffic coming into it.

Databases

It is very important that we keep databases safe as they may contain PII information about individuals or credit card information. Let's look at what we can do to keep our database as secure as possible, starting with stored procedures:

• Stored Procedures: A SQL injection attack manipulates a SQL statement and then ends it by inserting 1=1. Instead of writing Transact-SQL statements, we can have the SQL script prewritten and saved in a stored procedure, for example, ABC. This prevents manipulation of the statement. We then insert ABC into the Transact-SQL, thereby preventing alteration. This is similar to what happens with a batch file.
• Tokenization: Tokenization is deemed more secure than encryption. When we encrypt data, we use a public key and then we can reverse the encryption by decrypting the data with the private key or by cracking the encryption. This means that an attacker could decipher the data. Tokenization takes sensitive data such as a credit card number and replaces it with random data. Therefore, it cannot be reversed. Refer to Figure 11.2 to understand the process of tokenization:

Figure 11.2 – Tokenization

If you need to employ the service of a payment gateway, these are the e-commerce application service providers that can process direct debit or credit card payments. Two examples are Visa and Barclaycard, and information pertaining to these can be found here. There are many more providers besides:

- Visa: Information can be found at https://www.visa.co.uk/dam/VCOM/regional/na/us/partner-with-us/documents/token-service%20-provider-product-factsheet-from-visa.pdf.

- Barclaycard: Information can be found at https://www.barclaycard.co.uk/business/news-and-insights/tokenisation.

These payment gateway providers store the credit card details securely and generate a random token. Tokenization can help companies be Payment Card Industry Data Security Standard (PCI DSS)-compliant. They have the ability to replace protected health information, e-PHI, Non-Public Personal Information (NPPI), and ensure that health organizations are in compliance with Health Insurance Portability and Accountability Act (HIPAA) regulations.

• Hashing: A database contains a huge amount of data and we use hashing to index and fetch items from a database. This makes the search faster as the hash key is shorter than the data. The hash function maps out all of the data to where the actual records are held. Refer to the following diagram:

Figure 11.3 – Hash index

In the preceding diagram, you can see that the hash value is stored in a data bucket, which is a memory location where records are stored. A data bucket is known as a unit of storage.

• Salting: Salting passwords in a database means that we take the password stored in the database and add randomized numbers to increase the compute time for a brute-force attack.

Application Security

In today's world, we are all interconnected and use an ever-increasing amount of applications that can be targeted by attackers. Therefore, as a cybersecurity professional, we need to ensure that we harden these applications to prevent attacks. Let's look at the types of protection that we can put in place, starting with input validation:

• Input Validation: Controlling inputs to an application is vital to ensure that buffer overflow, integer overflow, and SQL injection attacks cannot be launched against applications and databases. Input validation is where data is entered either using a web page or wizard. Both are set up to only accept data in the correct format within a range of minimum and maximum values.

  Example: Have you ever completed a web form quickly and maybe put your zip code into another field? This results in an error in the form and it fails to process the submit button. The web form then has a list at the top, in red, of the incorrect parameters, with a red star next to each of them. Once you have corrected the entries, the form will accept them and submit.

• Secure Cookies: Cookies are used by web browsers and contain information about your session, and they can be stolen by attackers to carry out a session hijacking attack. We can set the secure flag on the website to ensure that cookies are only downloaded when there is a secure HTTPS session. You can do this in Java EE 6 by applying the following information to the web.xml file. An example is shown in the following code snippet:

  <session-config>

  <cookie-config>

  <secure> 'true' </secure>

  </cookie-config>

  </secure-config>

• Hypertext Transfer Protocol (HTTP) Headers: HTTP headers are designed to transfer information between the host and the web server. An attacker can carry out cross-site scripting as it is mainly delivered through injecting HTTP response headers. This can be prevented by entering the HTTP Strict Transport Security (HSTS) header:

  function requestHandler(req, res) {

  res.setHeader('Strict-Transport-Security','max-age=31536000; includeSubDomains; preload');

  }

  This means that HSTS ensures that the browser will ignore all HTTP connections.

• Code Signing: A code-signing certificate is procured that allows you to digitally sign scripts and executables to verify their authenticity and to confirm that they are genuine.
• Allow List: An allow list only allows explicitly allowed applications to run. This can be done by setting up an application whitelist. Firewalls such as pf-sense can have an allow list.
• Block List/Deny List: A block/deny list prevents explicitly blocked applications from being set up by using a blacklist to prevent banned applications from running. Firewalls such as pf-sense can have a block list.
• Secure Coding Practices: This is where the developer that creates software ensures that there are no bugs or flaws, so that they can prevent attacks such as buffer overflow or integer injection.
• Static Code Analyzers: When developers use static code analyzers, the code is not executed locally. Instead, they launch the static code analyzer tool. Then the source code is run inside the tool that reports any flaws or weaknesses.
• Dynamic Code Analysis: When developers use dynamic analysis, the code is run locally and then they use a technique called fuzzing, where a random input is inserted into the application to see what the output will be. White box pen testers use fuzzing to see the flaws and weaknesses in an application before it is rolled out to the production environment.
• Manual Code Review: This is where a developer reads code line by line to ensure that the code is written properly and that there are no errors. This is very tedious and time consuming.
• Fuzzing: This is where we will put random information into an application to see whether the application crashes or causes memory leaks or error information to be returned. The white box pen tester uses this to remedy any potential problems before a new application is released. The black box will use fuzzing to find any vulnerabilities with the application. This is also known as improper input validation.

Hardening

We need to ensure that we harden both the devices running the applications and the applications themselves against an ever-increasing cybercrime threat. In this section, we are going to look at different types of hardening techniques, which, when they are implemented, will keep our devices and applications safe. We are going to start by looking at open ports and services:

• Open Ports and Services: Ports used by applications are endpoints for connections. Each application or protocol will use different port numbers; it is like having TV channels. If you don't go to the sports channel, then you can't watch sport. Similarly, if you don't use the correct port, you cannot connect to your application. When you install an OS, some of these ports are open, so you need to close unused ports on your host-based firewall. This can be done on a Windows computer by using the netstat command to find the open ports. Referring to Figure 11.4, the port number is after the colon in the Local Address column. You can use the netstat -ano command to close the port that you are not using:

Figure 11.4 – Netstat

Applications use a service to run and when you first install an OS, there are a lot of services running by default, some of which you may never use. For example, the telnet service will allow remote access to your computer in clear text, so we would need to disable those services. In a Windows computer, if you type services.msc in the run command, you can see which services are running and then just disable those that you are not using.

• Registry: The registry is a database of all the settings on your computer, and gaining access to the registry can allow someone to cause damage to the computer. If you make a change in control, that change is reflected in your registry. There are a group of settings called hives and there are five main hive keys. These start with HKEY_. You can see these five keys in Figure 11.5, starting with HKEY_CLASSES_ROOT. You can access the registry by using the regedit command:

Figure 11.5 – Registry

The Docker tool allows you to isolate applications into a separate space called containers. The registry can now be isolated into a separate container, making it more secure.

• Operating System: In order to harden an OS, it is important that the OS has the latest patches and updates. Subscribing to security bulletins from the vendor helps to get updates when new patches are released.
• Patch Management: Patch management is where the cybersecurity team obtains updates from the vendors. They test the updates on a computer in a sandbox to ensure that it will not cause any damage to either the OS or the installed applications. Patch management such as the Microsoft WSUS server has the ability to roll out vendor updates and third-party updates. Once the updates have been tested, they can be set up to automatically update your OS.

Full Disk Encryption (FDE)

FDE is used on computer systems to encrypt the whole hard drive as it holds data at rest. FDE uses X509 certificates to encrypt the full disk, but needs a TPM chip on the motherboard to store the keys. Microsoft's BitLocker is an example of this, and if it thinks the drive has been tampered with it, locks the drive and a 48-character key is then required to unlock it. Let's look at aspects of FDE, starting with the TPM chip:

• Trusted Platform Module (TPM): The TPM chip is stored on the motherboard and is used to store the encryption keys so that when the system boots up, it can compare the keys and ensure that the system has not been tampered with.
• Hardware Root of Trust: When we use certificates for FDE, they use a hardware root of trust that verifies that the keys match before the secure boot process takes place.

Self-Encrypting Drives (SEDs)

The OPAL storage specification is the industry standard for self-encrypting drives. This is a hardware solution. Therefore, they outperform other encryptions as they are software solutions. They don't have the same vulnerabilities as software and therefore are more secure. The SEDs are Solid State Drives (SSDs) and are purchased already set to encrypt data at rest. The encryption keys are stored on the hard drive controller. Therefore, they are immune to a cold boot attack and are compatible with all OSes. The drives have a security mechanism allowing the drive to be locked in order to prevent unauthorized users from accessing the data. Only the computer user and the vendor can decrypt the drives.

Hardware Security Module (HSM)

An HSM is similar to TPM chips, except that it is removable. The Key Escrow uses an HSM to store and manage private keys, but smaller ones can be used for computers.

Sandboxing

Sandboxing is where we can install an application in a virtual machine environment isolated from our network so that we can patch, test, and ensure that it is secure before putting it into a production environment. In a Linux environment, this is known as Chroot Jail.

Now that we have an idea of host and application security, let's understand the security implications of embedded and specialist systems.

Understanding the Security Implications of Embedded and Specialist Systems

An embedded system has its own software built into the device hardware. Some are programmable and some are not. Embedded systems are found in consumer products used for health monitoring, automotive, medical, and household products. Some examples follow in the next section.

Internet of Things (IoT)

IoT comprises small devices, such as ATMs, small robots, and wearable technologies, that can use an IP address and connect to internet-capable devices. We must ensure that we change the default usernames and passwords for these devices to prevent someone from hacking them. From a security point of view, supporting IoT items is a nightmare because of the diversity of the devices. Most users of IoT devices are not aware that they have default username and passwords, and so they are vulnerable to attack. You should change the default settings immediately after purchase. Let's look at some of these devices in the following diagram:

Figure 11.6 – IoT devices

The devices shown in the preceding diagram have been explained in detail in the following points:

• Smart Devices: Smart devices, such as a smart TV or refrigerators, can connect to a home network and gain access to the internet. If we do not change the default username and passwords, they are vulnerable to attacks. Default passwords for these devices can be found at www.cirt.net. Most home users are unaware that they have a password, and so are vulnerable to attack. If we look at a smart refrigerator, the owner can connect to it from the supermarket, using an app on their cell phone, to see what is in the fridge as it has a direct connection to the internet.
• Home Automation: A home automation system will control alarms systems, lighting, climate, entertainment, alarm systems, and kitchen appliances. Since most home automation devices have a direct internet connection, this makes them vulnerable to attack.

  Example: An Alexa stores all conversations that take place in its vicinity. Therefore, if you don't delete the voice history on a regular basis, an attacker can gain access to those conversations. To prevent this, you should say Alexa, delete what I say today. You need to watch where you place the device as it has a camera. You can turn the camera off by simply saying, Alexa, turn off the camera. You change the wake-up word in case you have a friend called Alexis and this also prevents other people giving commands to your device.

• Wearable Technology: The use of wearable technology has increased in recent years, from monitoring health and performance to sending texts and receiving calls on your watch. Some devices such as Fitbit are encrypted, but others are vulnerable as they use Bluetooth.
• Sensors: These could be used to detect motion, alert you when systems fail, or allow you to measure occupancy as they can detect motion and the use of electricity.
• Facilities Automation: Companies can use IoT devices to help them manage and secure their environments. Some companies have a smart building system that can provide the following:

Figure 11.7 – A smart building system

As these devices are connected to the main control unit and all have an internet capability, they could be attacked from the internet. The attacker could tamper with the systems so that it provides false positive information, or they could launch a denial-of-service attack. They could use selective forwarding that would filter out messages or they could eavesdrop and carry out man-in-the-middle attacks.

Real-Time Operating System (RTOS)

RTOS are more reliable than desktops or servers as they are normally used for real-time applications since they process data immediately, thereby preventing buffering and buffer overflows. If a task or process does not complete within a certain time, the process will fail. RTOS could be used for military systems or where robots are being used in production to ensure that processes are completed quickly.

Multifunctional Printers (MFPs)

MFPs are an all-in-one device consisting of at least two of the following – printer, scanner, fax, or photocopier. The weakness of each of these is that they all have a network interface and could be attacked through that interface. Any default setting or passwords must be changed.

Surveillance Systems

Surveillance systems can check cameras, speak to those on the camera, automate lights, and set alarms, and this can all be done from a smart phone. Surveillance systems now tend to be networked and are used for security of a business or your home and the footage can be used in evidence for legal purposes. They could be attacked from the internet and the attacker could steal the information that they contain. Therefore, the default username and passwords must be changed immediately.

Example 1: You are at work when the surveillance systems alerts you that someone has rung your door bell. You can now see the person who has picked up a parcel from your porch, you can shout at them to drop the parcel, and can send the footage to the police.

Example 2: The police are dealing with a riot. The police are dressed in riot gear and there are police vehicles equipped with camera systems. These will be used to record the event in real time. The footage can be sent back to an incident control room, in real time, where the police can see whether any of the rioters are on their internal police systems.

System on a Chip (SoC)

An (SoC) is an integrated circuit on a microchip that connects the functionality of a computer on a small microchip. Life support devices use SoC.

Heating, Ventilation, and Air Conditioning (HVAC)

HVAC is very important for server rooms and for server farms that are located in data centers as they regulate the temperature by using hot and cold aisles, as shown in Figure 11.8:

Figure 11.8 – HVAC

The cold aisle is where the cold air comes in and that faces the front of the servers. The rear of the servers face one another. They push hot air out into the hot aisles, and this is allowed to escape through a chimney. This way, the temperature can be regulated, and this ensures the availability of the IT systems. Critical systems could fail if the temperature gets too hot, and the security teams will know whether offices are occupied according to the HVAC system usage register.

Specialized Devices

Specialized devices are more expensive bespoke devices that provide a unique purpose. For example, there are man overboard devices that detect someone falling into the water. We are going to look at these in the following points, starting with medical devices:

• Medical Devices: These can include infusion devices that measure fluids that are given to patients in hospitals. Ambulances will carry life-support systems, such as defibrillators, that are used to save a person's life if they have just suffered from cardiac arrest. The defibrillators will have an SoC installed as it gives out instructions on how to use it, but if it detects a pulse, it will not send a charge, as shown in Figure 11.9:

Figure 11.9 – Defibrillator

• Luxury Vehicles: Some luxury vehicles have embedded systems that produce a wireless hotspot in the car so that, when you are driving along, your passengers can connect to the internet. Others have the ability to carry out automatic self-parking. There have been many trials recently of self-driving cars; vendors, such as Google, are still trying to perfect their systems.
• Drones: For many years, people have been flying model aircraft that also have embedded systems, but in the past 2-3 years, unmanned aerial vehicles called drones (Unmanned Aerial Vehicles (UAV)) have been making the headlines. The military can use these drones to carry out surveillance of areas where it is too dangerous to send manned aircraft, and they could also be armed to carry out attacks.
• Smart Meters: These can be used to show you the amount of electricity or gas that you are using. This helps to reduce your energy bills.

Embedded Systems

An embedded system is both hardware and software combined in a single device. Some such devices will have updates, but some have no update mechanism, making them vulnerable to attack. Examples of embedded systems include the following:

• Raspberry Pi: This is a credit card size computer that allows you to run program languages such as Python or Scratch. The Raspberry Pi can be plugged into a monitor or computer.
• Field-Programmable Gate Array (FPGA): This is as close to creating your own chip as you can possibly get. The FPGA takes code and stores it in multiple hardware blocks. The hardware block contains register and logic units. These are not like microchips that have a function. The FPGA has absolutely no function at all. It has no processor, and this makes it very flexible. Each block can be programmed to perform a single function. FPGAs are super-fast as they have Gbps capability with built-in transceiver and serial decoding. You could use a FPGA to build your own supercomputer.

  Example: If you have built your own microcontroller and you want to change it, but it does not have enough processing power to change it, then you are stuck. However, if you had built your processor inside an FPGA and you had sufficient resources, you could increase your processor power and that would allow you to perhaps put in a finite impulse response (FIR) filter between two pins and achieve your aim.

• Arduino: This is an open source programmable microprocessor/microcontroller. These boards are programmable through a USB. They are able to read inputs whether it be a light on a sensor, or an activity such as turning on a LED, publishing something online, or activating a motor. They can be run from a 9-volt battery and can be used to control electronic components. The Arduino has shields, and these allow you to add wireless or Bluetooth to it so that it could be used to build a robot.

Supervisory Control and Data Acquisition (SCADA)

SCADA systems are automated control systems that can be used for water, oil, or gas refineries, or industrial and manufacturing facilities, where there are multiple phases of production. The architecture of a SCADA system can be seen in the following diagram:

Figure 11.10 – SCADA system

The security of the SCADA system is paramount. A network firewall prevents unauthorized access to the network, and then an NIPS is used as an additional layer. If further segmentation is required, VLANs could be used internally. This is no different to protecting a corporate network.

Example: Iran had a uranium enrichment facility that was a SCADA system, but it suffered an attack from the Stuxnet virus that attacked the centrifuges. The Stuxnet virus was discovered in 2007, but many believe it could have been there in 2005. Uranium enrichment is an example of using the SCADA methodology in a production environment.

Industrial Control System

Several types of control systems and instrumentation used for industrial process control are generally encompassed as the Industrial Control System (ICS). They are used for water, telecommunications, health, chemicals and pharmaceuticals, water supply, and treatment.

Communication Considerations

In today's world, there are various different connection methods for mobile devices, and we need to be able to identify the best selection for a given scenario. Let's look at these by first looking at cellular:

• Cellular: This is where tablets and phones are using 3G, 4G, or 5G to connect to their provider without needing any other devices. Cellular connections are encrypted to prevent anyone seeing who is logging on or stealing your data. The problem that cellular faces is that, if there are no masts nearby and the device has a setting of no service, they will not work.
• Narrow-Band: These are short-range, wireless applications that are used, for example, with security radio-frequency identification (RFID) or keyless vehicle entry products.
• Baseband Radio: This is used for audio signals over a radio frequency, for example, when truck drivers go onto a specific channel to talk to another truck driver.
• Subscriber Identity Module (SIM) cards: These are small computer chips that contain your information that allows you to connect to your telecoms provider to make calls, send text messages, or use the internet.
• Zigbee: These chips are integrated with microcontrollers and radios. They are powered by a battery as they are low cost and low power. Examples of use include Abode smart security system, Bosch security systems, and Honeywell thermostats.

Constraints

There are many constraints associated with embedded devices, due to their size. Most devices, such as Zigbee and Arduino, are battery-operated and even cell phones such as the iPhone have a battery that lasts about 7 hours. Most embedded systems have a smaller processor. They may be 8- or 16-bit, compared to a laptop, which has a 64-bit processor. They are therefore restricted in terms of their compute time. Other limitations are as follows:

• Network: Embedded systems are not scalable, and some can only communicate through Wi-Fi or Bluetooth and are short ranged. It is difficult to transfer data from one system to another.
• Crypto: PKI needs at least a 32-bit processor, and embedded devices are limited to 8 or 16, so you will need significant overhead when trying to authenticate, and this may well be very slow.
• Hardware Upgrade/Patching: Most embedded devices cannot have their hardware upgraded, and some do not have the ability to patch. In fact, some vendors do not produce patches.
• Range: Many embedded systems may have a very short range, and so are not scalable.
• Cost: Embedded systems are mainly customized, and when the new product is released, the cost of purchase is outside the range of normal users.
• Implied Trust: When you purchase an embedded system, you need to hope that there is implied trust, where the system operates as described in the sales brochures. You may not be able to troubleshoot these devices.

Now that we have understood the security implications, we will look at secure application development, deployment, and automation in the next section.

Understanding Secure Application Development, Deployment, and Automation

There are two main models of the Software Development Life Cycle (SDLC), the first being an older version that is called Waterfall, where each stage is completed before the next stage commences. This is known as a cascade model. The newer, faster, and more flexible model is called Agile, which is similar to Scrum, where several stages of development can occur simultaneously. Agile is customer focused, where each part of the project is called a sprint, so if I have three stages, then there are three sprints and the project concludes when all the sprints are complete.

Before applications can be used in a production environment, we must ensure that they are as secure as possible so that we mitigate the risk of being attacked by an outside agency. We are going to look at these in turn, starting with the software diversity.

Software Diversity

A compiler takes code and converts it into binary machine language. Software diversity is where a developer can take code and obfuscate it with a compiler so that an attacker cannot reverse engineer the code, allowing them to find vulnerabilities in the code. An Application Programming Interface (API) is created to allow systems to be programmed to talk to one another. Using a complier to obfuscate API methods will make it harder for attackers to reverse engineer the code.

Elasticity

Elasticity is the process of increasing resources when they are needed. The cloud is a pay-as-you-go model where your resources can be increased at the drop of a hat.

Scalability

This is where an application can take more users than originally planned with little or no increase in cost.

Environment

When we are designing an application, we need a secure environment for development, testing, and staging before moving the application into production. This environment is shown in Figure 11.11:

Figure 11.11 – Environment

Let's look at each of these in turn:

• Development: The first stage of developing an application is to use the most secure programming language for the task at hand. There may be more than one application developer involved in the development. The application will go through different versions before it is complete, and these can be tracked by using version numbers.
• Testing: Developers integrate all of their work into a single application, software testers ensure that the functionality of the program fulfills the specifications. They may also employ a secure coding freelancer to carry out regression testing to ensure that the application is fit for production. At this stage, we are not looking at how it affects the production environment, as this is completed at staging.
• Staging: This is where we ensure quality assurance before we roll it out to production. We test the new application with real data in a sandbox environment so that the end users who will be using the applications ensure it is fit for purpose and that all the reports that they need are available. At this stage, the application is signed off as being fit for purpose. The quality assurance of the product is fulfilled.
• Production: The production environment is where the application goes live, and end users have the support of the IT team. The end users will be asked to give as much feedback as they can if the application has any problems that were not picked up beforehand.

Automation/Scripting

Automation is where processes are set up to carry out tasks automatically with the need for human intervention, using either scripts or a graphical user interface. Scripts are precompiled instructions that are automatically launched when the script is activated. This leads to fewer errors than carrying out tasks manually, where humans make mistakes. Let's now look at other aspects of the SDLC:

• Continuous Integration: This is the process where multiple software developers consolidate and test the code that they write to ensure that the different input codes do not conflict. This happens in the developing and testing environments.
• Continuous Validation: This is where the application is tested to make sure that it is fit for purpose and fulfills the original specification.
• Continuous Delivery: This is the process of fixing bugs before the application moves into production. This happens in the staging environment.
• Continuous Deployment: This is the process of pushing out new updates into production software, for example, patching.
• Continuous Monitoring: This is to log any failures by the application so that steps can be taken to remedy them.
• Automated Courses of Action: We can automate courses of action, for example, an Network Intrusion Detection System (NIDS) will detect threats, and the NIPS will prevent the threat from happening.

Provisioning and Deprovisioning

The concept of application provisioning is the life cycle of designing, preparing, creating, and managing the applications, and ensuring that there are no flaws in the security before release. Deprovisioning is when the application meets its end of life and we remove the application and either migrate the data to the new system or dispose of it, ensuring that we do so in accordance with local regulations, such as HIPAA, GDPR, or the Data Protection Act 1998.

Integrity Measurement

We measure application integrity to ensure that the application performs as it should do and conforms to data industry standards and regulations. Before the application is written, a third-party coding expert should carry out regression testing to ensure that there are no flaws in the code. The application itself is measured to ensure that it does what it is meant to do. We test that the security features are safe and that no vulnerabilities exist. Anything found out of the ordinary should be addressed quickly.

Secure Coding Techniques

Although most people who work in networking or security are not application developers, CompTIA has introduced secure coding into the syllabus. This section needs to be understood, so it is written in the simplest format we could think of:

• A Race Condition: This is where two instructions from different threads try to access the same data at the same time. When the developer wrote the application, the threads should have been programmed to access the data sequentially.

  Example: Two guys buy tickets for the Super Bowl final, and when they arrive at the stadium, they find that they have been allocated the same seat. That's a great profit for those selling the ticket, but a bad deal for those purchasing the ticket.

• Proper Error Handling: When we develop IT systems, we want the errors that are sent back to users to be very short and generic so that an attacker has very little information to use and launch the further attacks. However, we want the information logged in relation to errors to be as detailed as possible so that the security administrators know why the error occurred.
• Proper Input Validation: Input validation is controlled by using either wizards or web pages where the following is laid out:

  a. Is it alphabetical?

  b. Is it numerical?

  c. Is it a certain format, such as a zip code or telephone number?

  d. What are the minimum and maximum numbers of characters?

  If the data is not input in the correct format, it will not be accepted. Input validation on web pages lists errors in red at the top of the page with the incorrect entries. This prevents SQL injection, integer overflow, and buffer overflow attacks.

• Stored Procedure: A stored procedure is a pre-written SQL script that might ask you for a list of all the customers who have purchased items costing over $1,000 in the last 7 days. When this is written, it is saved as a stored procedure called ABC. When I run the ABC stored procedure, it will give me all of the information I require, and an attacker won't be able to modify the script inside.
• Obfuscation/Camouflage: Obfuscation is the process where you take source code and make it look obscure, so that if it was stolen, it would not be understood. Obfuscation masks the source code so that it cannot be understood by competitors.

  Example 1: Exclusive OR (XOR) is a binary operand from Boolean algebra. This operand will compare two bits and will produce one bit in return, two bits that are equal to 0, and two bits that are equal to 1. This is the opposite to binary. For example, we are going to use the word tread in ASCII format and then we are going to insert a key using the word hello so that we can complete an XOR operation. Refer to the following diagram:

Figure 11.12 – XOR

From the preceding XOR, you can see that the data has been obscured.

Example 2: ROT 13 is a variation of the Caesar cipher. As there are 26 letters in the alphabet, we are rotating the letters 13 times. The key to ROT 13 would be as follows:

Figure 11.13 – ROT 13

When receiving the message GVZR SBE GRN, we would apply ROT 13, but instead of going forward 13 places to decipher, we would simply go back 13 places, and the message would be TIME FOR TEA.

• Code Reuse/Dead Code: Developers like to keep code libraries where they store their source code. If they need to develop an application, they may start with old code and then modify it for the new application. Dead code is code that is never executed. It also consumes resources and should be removed as it serves no purpose.
• Memory Management: It is important that, when a developer writes an application, they control how much memory it can consume as this can create performance issues. Memory leaks are where written applications consume more memory than they need and, over a period of time, starve other applications of the memory that they need.
• Use of Third-Party Libraries: The use of apps on mobile devices is a fierce marketplace where, as soon as you purchase a domain name, someone has emailed you offering you a good deal on mobile apps for your business. There are many third-party libraries that have many pieces of code, and although they may not be perfect, this is a fast way to get your application to market. There are many third-party libraries for Android and JavaScript that have grown in popularity.
• Software-Developer Kits (SDKs): An SDK is a set of software development tools that a vendor creates to make application development easier.

  Example: Microsoft has the Windows 10 SDK, which provides the latest headers, libraries, metadata, and tools for building Windows 10 apps. Further information can be found at https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/.

• Data Exposure: Sensitive data is normally encrypted to prevent it from being stolen by attackers; this would include passwords and credit card details. We should limit the amount of data allocated to a user who is using an application, and we should also use input validation and DLP to protect our data.
• Normalization: Each database has a list of tables that are broken down into rows and columns. In a large relational database, data may be retained in multiple places. The goal of normalization is to reduce and eliminate the redundancy to make fewer indexes per table and make searching much faster.
• Server-Side versus Client-Side Execution and Validation: Website code will either run as server-side code or client-side code. Let's look at each of these in turn, starting with server-side code:

  a. Server-Side – Known As the Backend: Server-side validation is where the user's input is sent to the server, where it is validated and then the response is sent back to the client. Programming languages such as C# and .NET are server-side.

  b. Client-Side – Known As the Frontend: Client-side validation is done locally on the client so there is no network traffic. Script languages such as JavaScript, VBScript, or HTML5 attributes are used for this type of validation on the browser side.

  Client-side validation is much quicker, but an attacker can exploit the JavaScript and bypass the client side. Server-side validation takes much longer and can use input validation to check that the input is valid and to stop the attacker in their tracks.

Open Web Application Security Project (OWASP)

The Open Web Application Security Project (OWASP) is an international not-for-profit organization that provides an up-to-date list of the most recent web application security concerns. They rely on donations to exist. Their mission statement is to improve software security through open source initiatives and community education. They provide the following resources:

• Tools and resources
• Community and networking
• Education and training

They run seminars all over the world for the security of web, cloud, mobile devices, applications, and software development and maintenance.

Review Questions

Now it's time to check your knowledge. Answer the questions, and then check your answers, which can be found in the Assessments section at the end of the book:

1. Name three types of mobile device connection methods
2. What is an embedded electronic system? Give two examples.
3. What is the purpose of a SCADA system?
4. What category of device are my smart TV and wearable technology?
5. What is home automation?
6. What is the purpose of SoC?
7. If a process does not suffer buffer overflow, but fails within a specified period of time and this causes the process to fail, what method am I using?
8. What is the most likely way an attacker would gain control of an MFP?
9. What is the purpose of the security team controlling the HVAC in a data center?
10. Someone at work has suffered a cardiac arrest and the first aid delegate takes out a defibrillator that gives instructions of the steps to take. What had been built into the device to give these instructions?
11. Give an example of embedded systems that can be used with vehicles.
12. What is a UAV? Give two examples.
13. What is the main problem with a race condition when using an application?
14. What is the perfect way to set up error handling in an IT system?
15. Explain input validation and name three types of attacks that this could prevent.
16. How can I prevent a SQL injection attack other than with input validation?
17. What is the purpose of code signing?
18. What is the purpose of obfuscation?
19. What is dead code and how should it be treated?
20. If I am an Android developer, what can I obtain from the internet to help me get an application to market quickly?
21. What is the purpose of a measured boot?
22. What is needed for a secure boot – UEFI or BIOS?
23. If BitLocker is checking upon boot up that the software has not been tampered with, what is this known as?
24. What is the purpose of an endpoint protection and response solution?
25. Why do we use fingerprinting?
26. What type of firewall can act as an intrusion prevention device, a stateful firewall, and can inspect encrypted SSL and HTTPS packets?
27. Why is tokenization deemed more secure than encryption?
28. What is the purpose of secure cookies?
29. What is the purpose of using HSTS?
30. When a developer wants to analyze code when it is running, what type of code analyzer will they use?
31. What is the benefit of using the Docker tool to protect your registry?
32. Why would a cybersecurity team change the SSD hard drives in the company's laptop to an Opal drive?
33. As part of application development, when would you apply quality assurance?