Chapter 10

Information Systems Acquisition, Development, and Maintenance

Section 14 of ISO 27002:2013: “Information Systems Acquisition, Development, and Maintenance (ISADM)” focuses on the security requirements of information systems, application, and code from conception to destruction. This sequence is referred to as the systems development life cycle (SDLC). Particular emphasis is put on vulnerability management to ensure integrity, cryptographic controls to ensure integrity and confidentiality, and security of system files to ensure confidentiality, integrity, and availability (CIA). The domain constructs apply to in-house, outsourced, and commercially developed systems, applications, and code. Section 10 of ISO 27002:2013: “Cryptography,” focuses on proper and effective use of cryptography to protect the confidentiality, authenticity, and/or integrity of information. Because cryptographic protection mechanisms are closely related to information systems development and maintenance, it is included in this chapter.

Of all the security domains we have discussed so far, this one has the most widespread implications. Most cybercrime is opportunistic, meaning that the criminals take advantage of the system vulnerabilities. Information systems, applications, and code that does not have embedded security controls all expose the organization to undue risk. Consider a company that relies on a web-based application linked to a back-end database. If the code used to create the web-based application was not thoroughly vetted, it may contain vulnerabilities that would allow a hacker to bring down the application with a denial of service (DoS) attack, run code on the server hosting the application, or even trick the database into publishing classified information. These events harm an organization’s reputation, create compliance and legal issues, and significantly impact the bottom line.

• During the initiation phase, the need for a system is expressed, and the purpose of the system is documented.

• During the development/acquisition phase, the system is designed, purchased, programmed, developed, or otherwise constructed.

• The implementation/assessment phase includes system testing, modification if necessary, retesting if modified, and finally acceptance.

• During the operations/maintenance phase, the system is put into production. The system is almost always modified by the addition of hardware and software and by numerous other events. Monitoring, auditing, and testing should be ongoing.

• Activities conducted during the disposal phase ensure the orderly termination of the system, safeguarding vital system information, and migrating data processed by the system to a new system.

Each phase includes a minimum set of tasks needed to effectively incorporate security in the system development process. Phases may continue to be repeated throughout a system’s life prior to disposal.

The final task in this phase is authorization. It is the responsibility of the system owner or designee to green light the implementation and allow the system to be placed in production mode. In the federal government, this process is known as certification and accreditation (C&A). OMB Circular A-130 requires the security authorization of an information system to process, store, or transmit information. The authorizing official relies primarily on the completed system security plan, the inherent risk as determined by the risk assessment, and the security test results.

If an update requires a system reboot, it should be delayed until the reboot will have the least impact on business productivity. Typically, this means after hours or on weekends, although if a company is international and has users who rely on data located in different time zones, this can get a bit tricky. If an update does not require a system reboot, but will still severely impact the level of system performance, it should also be delayed until it will have the least impact on business productivity.

Security vulnerability patching for commercial and open source software is one of the most important processes of any organization. An organization may use the following technologies and systems to maintain an appropriate vulnerability management program:

• Vulnerability management software and scanners (such as Qualys, Nexpose, Nessus, etc.)

• Software composition analysis tools (such as BlackDuck Hub, Synopsys Protecode (formerly known as AppCheck), FlexNet Code Insight (formerly known as Palamida), SourceClear, etc.)

• Security vulnerability feeds (such as NIST’s National Vulnerability Database (NVD), VulnDB, etc.)

OWASP also has created source code analysis tools (often referred to as Static Application Security Testing (SAST) tools). These tools are designed to analyze source code and/or compiled versions of code to help find security flaws. The following are examples of these tools and projects:

• OWASP SonarQube Project: https://www.owasp.org/index.php/OWASP_SonarQube_Project

• OWASP Orizon Project: https://www.owasp.org/index.php/Category:OWASP_Orizon_Project

• OWASP LAPSE Project: https://www.owasp.org/index.php/OWASP_LAPSE_Project

• OWASP O2 Platform: https://www.owasp.org/index.php/OWASP_O2_Platform

• OWASP WAP-Web Application Protection: https://www.owasp.org/index.php/OWASP_WAP-Web_Application_Protection

• Code Injection

• Command Injection

• Comment Injection Attack

• Content Spoofing

• Cross-site Scripting (XSS)

• Custom Special Character Injection

• Function Injection

• Resource Injection

• Server-Side Includes (SSI) Injection

• Special Element Injection

• SQL Injection

• XPATH Injection

You may wonder, why bother to go through all this? Who cares if a user sends the wrong ZIP code? Who cares if the information entered in the ZIP code field includes letters and/or ASCII characters? Hackers care. Hackers attempt to pass code in those fields to see how the database will react. They want to see if they can bring down the application (DoS attack against that application), bring down the server on which it resides (DoS against the server, and therefore against all the applications that reside on that server), or run code on the target server to manipulate or publish sensitive data. Proper input validation is therefore a way to limit the ability of a hacker to try to abuse an application system.

Dynamic data is used by numerous application systems. A simple example is the exchange rate for a particular currency. These values continually change, and using the correct value is critical. If the transaction involves a large sum, the difference can translate into a fair amount of money! Data validation extends to verification that the business rule is also correct.

Developers test applications by feeding erroneous data into the interface to see how it reacts and what it reveals. This feedback is used to modify the code with the objective of producing a secure application. The more time spent on testing, the less likely hackers will gain the advantage.

Another related technique is a position-independent executable (PIE). PIE provides a random base address for the main binary that is being executed. PIE is typically used for network-facing daemons. There is another implementation called the kernel address space layout randomization (KASLR). KASLR’s main purpose is to provide address space randomization to running Linux kernel images by randomizing where the kernel code is placed at boot time.

• Confidentiality: Unauthorized parties cannot access the data. Data can be encrypted, which provides confidentiality.

• Integrity: Assurance is provided that the data was not modified. Data can be hashed, which provides integrity.

• Authenticity/nonrepudiation: The source of the data is validated. Data can be digitally signed, which ensures authentication/nonrepudiation and integrity.

Data can be encrypted and digitally signed, which provides for confidentiality, authentication, and integrity.

Encryption is the conversion of plain text into what is known as cipher text, using an algorithm called a cipher. Cipher text is text that is unreadable by a human or computer. Literally hundreds of encryption algorithms are available, and there are likely many more that are proprietary and used for special purposes, such as for governmental use and national security.

Common methods that ciphers use include the following:

• Substitution: This type of cipher substitutes one character for another.

• Polyalphabetic: This is similar to substitution, but instead of using a single alphabet, it can use multiple alphabets and switch between them by some trigger character in the encoded message.

• Transposition: This method uses many different options, including the rearrangement of letters. For example, if we have the message “This is secret,” we could write it out (top to bottom, left to right) as shown in Figure 10-2.

  

  FIGURE 10-2 Transposition Example

We then encrypt it as RETCSIHTSSEI, which involves starting at the top right and going around like a clock, spiraling inward. For someone to know how to encrypt/decrypt this correctly, the correct key is needed.

Decryption, the inverse of encryption, is the process of turning cipher text back into readable plain text. Encryption and decryption require the use of a secret key. The key is a value that specifies what part of the algorithm to apply, in what order, and what variables to input. Similar to authentication passwords, it is critical to use a strong key that cannot be discovered and to protect the key from unauthorized access. Protecting the key is generally referred to as key management. We examine the use of symmetric and asymmetric keys, as well as key management, later in this chapter.

Ensuring that a message has not been changed in any way during transmission is referred to as message integrity. Hashing is the process of creating a numeric value that represents the original text. A hash function (such as SHA or MD5) takes a variable size input and produces a fixed size output. The output is referred to as a hash value, message digest, or fingerprint. Unlike encryption, hashing is a one-way process, meaning that the hash value is never turned back into plain text. If the original data has not changed, the hash function should always produce the same value. Comparing the values confirms the integrity of the message. Used alone, hashing provides message integrity and not confidentiality or authentication.

A digital signature is a hash value (message digest) that has been encrypted with the sender’s private key. The hash must be decrypted with the corresponding key. This proves the identity of the sender. The hash values are then compared to prove the message integrity. Digital signatures provide authenticity/nonrepudiation and message integrity. Nonrepudiation means that the sender cannot deny that the message came from them.

Another example is the General Data Protection Regulation (GDPR) by the European Commission. One of the GDPR’s main goals is to strengthen and unify data protection for individuals within the European Union (EU), while addressing the export of personal data outside the EU. In short, the primary objective of the GDPR is to give citizens back control of their personal data.

• The certification authority (CA) issues and maintains digital certificates.

• The registration authority (RA) performs the administrative functions, including verifying the identity of users and organizations requesting a digital certificate, renewing certificates, and revoking certificates.

• Client nodes are interfaces for users, devices, and applications to access PKI functions, including the requesting of certificates and other keying material. They may include cryptographic modules, software, and procedures necessary to provide user access to the PKI.

• A digital certificate is used to associate a public key with an identity. Certificates include the certificate holder’s public key, serial number of the certificate, certificate holder’s distinguished name, certificate validity period, unique name of the certificate issuer, digital signature of the issuer, and signature algorithm identifier.

Best practices for key management include the following:

• The key length should be long enough to provide the necessary level of protection.

• Keys should be transmitted and stored by secure means.

• Key values should be random, and the full spectrum of the keyspace should be used.

• The key’s lifetime should correspond with the sensitivity of the data it is protecting.

• Keys should be backed up in case of emergency. However, multiple copies of keys increase the chance of disclosure and compromise.

• Keys should be properly destroyed when their lifetime ends.

• Keys should never be presented in clear text.

Key management policy and standards should include assigned responsibility for key management, the nature of information to be protected, the classes of threats, the cryptographic protection mechanisms to be used, and the protection requirements for the key and associated processes.

The built-in defense against a fraudulently issued certificate is certificate revocation. When a rogue or fraudulent certificate is identified, the CA will issue and distribute a certificate revocation list. Alternatively, a browser may be configured to use the Online Certificate Status Protocol (OCSP) to obtain revocation status.

Custom applications should be built with security in mind from the start. Adopting an SDLC methodology that integrates security considerations ensures that this objective is met. The SDLC provides a structured and standardized process for all phases of any system development effort. During the initiation phase, the need for a system is expressed and the purpose of the system is documented. During the development/acquisition phase, the system is designed, purchased, programmed, developed, or otherwise constructed. During the implementation phase, the system is tested, modified if necessary, retested if modified, and finally accepted. During the operational phase, the system is put into production. Monitoring, auditing, and testing should be ongoing. Activities conducted during the disposal phase ensure the orderly termination of the system, safeguarding vital system information, and migrating data processed by the system to a new system.

SDLC principles extend to COTS (commercial off-the-shelf) software as well as open source software. It is important to recognize the stages of software releases. The alpha phase is the initial release of software for testing. Beta phase indicates that the software is feature-complete and the focus is usability testing. A release candidate (RC) is a hybrid of a beta and a final release version. General availability or “go live” is when the software has been made commercially available and is in general distribution. Alpha, beta, and RCs should never be implemented in a production environment. Over the course of time, publishers may release updates and security patches. Updates generally include enhancements and new features. Updates should be thoroughly tested before release to a production environment. Even tested applications should have a rollback strategy in case the unexpected happens. Live data should never be used in a test environment; instead, de-identified or dummy data should be used.

The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. Throughout recent years, OWASP rated injection flaws as the number-one software and database security issue. Injection is when untrusted data is sent to an interpreter as part of a command or query. Input and output validation minimizes injection vulnerabilities. Input validation is the process of validating all the input to an application before using it. This includes correct syntax, length, characters, and ranges. Output validation is the process of validating (and in some cases, masking) the output of a process before it is provided to the recipient.

Data at rest and in transit may require cryptographic protection. Three distinct goals are associated with cryptography: Data can be encrypted, which provides confidentiality. Data can be hashed, which provides integrity. Data can be digitally signed, which provides authenticity/nonrepudiation and integrity. Also, data can be encrypted and digitally signed, which provides for confidentiality, authentication, and integrity. Encryption is the conversion of plain text into what is known as cipher text, using an algorithm called a cipher. Decryption, the inverse of encryption, is the process of turning cipher text back into readable plain text. Hashing is the process of creating a fixed-length value known as a fingerprint that represents the original text. A digital signature is a hash value (also known as a message digest) that has been encrypted with the sender’s private key.

A key is a value that specifies what part of the cryptographic algorithm to apply, in what order, and what variables to input. The keyspace is a large set of random values that the algorithm chooses from when it needs to make a key. Symmetric key algorithms use a single secret key, which must be shared in advance and kept private by both the sender and the receiver. Asymmetric key cryptography, also known as public key cryptography, uses two different but mathematically related keys known as public and private keys. A digital certificate is used to associate a public key with an identity.

A public key infrastructure (PKI) is used to create, distribute, manage, and revoke asymmetric keys. A certification authority (CA) issues and maintains digital certificates. A registration authority (RA) performs the administrative functions, including verifying the identity of users and organizations requesting a digital certificate, renewing certificates, and revoking certificates. Client nodes are interfaces for users, devices, and applications to access PKI functions, including the requesting of certificates and other keying material. They may include cryptographic modules, software, and procedures necessary to provide user access to the PKI.

Information Systems Acquisition, Development, and Maintenance (ISADM) policies include SDLC, Application Development, and Key Management.

A. Build the application first and then add a layer of security.

B. From the planning and design phase and through the whole development life cycle.

C. Start the application development phase, and when you reach the halfway point, you have enough of a basis to look at to decide where and how to set up the security elements.

D. No security needs to be developed inside of the code itself. It will be handled at the operating system level.

2. Which of the following statements best describes the purpose of the systems development life cycle (SDLC)?

A. The purpose of the SDLC is to provide a framework for system development efforts.

B. The purpose of the SDLC is to provide a standardized process for system development efforts.

C. The purpose of the SDLC is to assign responsibility.

D. All of the above.

3. In which phase of the SDLC is the need for a system expressed and the purpose of the system documented?

A. The initiation phase

B. The implementation phase

C. The operational phase

D. The disposal phase

4. In which phase of the SDLC should design reviews and system tests be performed to ensure that all required security specifications are met?

A. The initiation phase

B. The implementation phase

C. The operational phase

D. The disposal phase

5. Which of the following statements is true?

A. Retrofitting security controls to an application system after implementation is normal; this is when security controls should be added.

B. Retrofitting security controls to an application system after implementation is sometimes necessary based on testing and assessment results.

C. Retrofitting security controls to an application system after implementation is always a bad idea.

D. Retrofitting security controls to an application system after implementation is not necessary because security is handled at the operating system level.

6. Which phase of software release indicates that the software is feature-complete?

A. Alpha

B. Beta

C. Release candidate

D. General availability

7. Which phase of software release is the initial release of software for testing?

A. Alpha

B. Beta

C. Release candidate

D. General availability

8. Which of the following statements best describes the difference between a security patch and an update?

A. Patches provide enhancements; updates fix security vulnerabilities.

B. Patches should be tested; updates do not need to be tested.

C. Patches fix security vulnerabilities; updates add features and functionality.

D. Patches cost money; updates are free.

9. The purpose of a rollback strategy is to ______________.

A. make backing up easier

B. return to a previous stable state in case problems occur

C. add functionality

D. protect data

10. Which of the following statements is true?

A. A test environment should always be exactly the same as the live environment.

B. A test environment should be as cheap as possible, no matter what.

C. A test environment should be as close to the live environment as possible.

D. A test environment should include live data for true emulation of the real-world setup.

11. Which of the following statements best describes when dummy data should be used?

A. Dummy data should be used in the production environment.

B. Dummy data should be used in the testing environment.

C. Dummy data should be used in both test and production environments.

D. Dummy data should not be used in either test or production environments.

12. Which of the following terms best describes the process of removing information that would identify the source or subject?

A. Detoxification

B. Dumbing down

C. Development

D. De-identification

13. Which of the following terms best describes the open framework designed to help organizations implement a strategy for secure software development?

A. OWASP

B. SAMM

C. NIST

D. ISO

14. Which of the following statements best describes an injection attack?

A. An injection attack occurs when untrusted data is sent to an interpreter as part of a command.

B. An injection attack occurs when trusted data is sent to an interpreter as part of a query.

C. An injection attack occurs when untrusted email is sent to a known third party.

D. An injection attack occurs when untrusted data is encapsulated.

15. Input validation is the process of ___________.

A. masking data

B. verifying data syntax

C. hashing input

D. trusting data

16. Which of the following types of data change as updates become available?

A. Moving data

B. Mobile data

C. Dynamic data

D. Delta data

17. The act of limiting the characters that can be entered into a web form is known as ___________.

A. output validation

B. input validation

C. output testing

D. input testing

18. Which statement best describes a distinguishing feature of cipher text?

A. Cipher text is unreadable by a human.

B. Cipher text is unreadable by a machine.

C. Both A and B.

D. Neither A nor B.

19. Which term best describes the process of transforming plain text to cipher text?

A. Decryption

B. Hashing

C. Validating

D. Encryption

20. Which of the following statements is true?

A. Digital signatures guarantee confidentiality only.

B. Digital signatures guarantee integrity only.

C. Digital signatures guarantee integrity and nonrepudiation.

D. Digital signatures guarantee nonrepudiation only.

21. Hashing is used to ensure message integrity by ____________.

A. comparing hash values

B. encrypting data

C. encapsulating data

D. comparing algorithms and keys

22. When unauthorized data modification occurs, which of the following tenets of security is directly being threatened?

A. Confidentiality

B. Integrity

C. Availability

D. Authentication

23. Which of the following statements about encryption is true?

A. All encryption methods are equal: Just choose one and implement it.

B. The security of the encryption relies on the key.

C. Encryption is not needed for internal applications.

D. Encryption guarantees integrity and availability, but not confidentiality.

24. Which of the following statements about a hash function is true?

A. A hash function takes a variable-length input and turns it into a fixed-length output.

B. A hash function takes a variable-length input and turns it into a variable-length output.

C. A hash function takes a fixed-length input and turns it into a fixed-length output.

D. A hash function takes a fixed-length input and turns it into a variable-length output.

25. Which of the following values represents the number of available values in a 256-bit keyspace?

A. 2 × 2²⁵⁶

B. 2 × 256

C. 256²

D. 2²⁵⁶

26. Which of the following statements is not true about a symmetric key algorithm?

A. Only one key is used.

B. It is computationally efficient.

C. The key must be publicly known.

D. AES is widely used.

27. The contents of a __________ include the issuer, subject, valid dates, and public key.

A. digital document

B. digital identity

C. digital thumbprint

D. digital certificate

28. Two different but mathematically related keys are referred to as ___________.

A. public and private keys

B. secret keys

C. shared keys

D. symmetric keys

29. In cryptography, which of the following is not publicly available?

A. Algorithm

B. Public key

C. Digital certificate

D. Symmetric key

30. A hash value that has been encrypted with the sender’s private key is known as a _________.

A. message digest

B. digital signature

C. digital certificate

D. cipher text

1. Create a list of security concerns. For each concern, indicate if the issue is related to confidentiality, integrity, availability (CIA), or any combination thereof.

2. Create a project plan using the SDLC framework as a guide. Describe your expectations for each phase. Be sure to include roles and responsibilities.

3. Research and recommend an independent security firm to test your application. Explain why you chose them.

1. Read the entire report.

2. Write a memo addressed to Executive Management on why they should read the report. Include in your memo what OWASP means by “It’s About Risks, Not Weaknesses” on page 20.

3. Write a second memo addressed to developers and programmers on why they should read the report. Include in your memo references to other OWASP resources that would be of value to them.

1. Research and choose an issuing CA. Explain why you chose the specific CA.

2. Describe the process and requirements for obtaining a digital certificate.

3. Who in the organization should be tasked with installing the certificate and why?

“HIPAA Security Rule,” official website of the Department of Health and Human Services, accessed 04/2017, https://www.hhs.gov/hipaa/for-professionals/security/index.html.

State of Nevada, “Chapter 603A—Security of Personal Information,” accessed 04/2017, https://www.leg.state.nv.us/NRS/NRS-603A.html.

State of Washington, “HB 2574, An Act Relating to Securing Personal Information Accessible Through the Internet,” accessed 04/2017, http://apps.leg.wa.gov/documents/billdocs/2007-08/Pdf/Bills/House%20Bills/2574.pdf.

Santos, Omar, Joseph Muniz, and Stefano De Crescenzo, CCNA Cyber Ops SECFND 210-250 Official Cert Guide, Cisco Press: Indianapolis, 2017.

Kak, Avi, “Lecture 15: Hashing for Message Authentication, Lecture Notes on Computer and Network Security,” Purdue University, accessed 04/2017, https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture15.pdf.

“OpenSAMM: Software Assurance Maturity Model,” accessed 04/2017, www.opensamm.org.

“RFC 6960, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol—OCSP,” June 2013, Internet Engineering Task Force, accessed 04/2017, https://tools.ietf.org/html/rfc6960.

“RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” May 2008, Internet Engineering Task Force, accessed 04/2017, https://tools.ietf.org/html/rfc5280.