Application and System Development

Topic Description

SW’s Importance  Security should be interwoven into the core of a product and provide different layers

 Application system controls can control input, processing, number-crunching methods, interprocess communication, interfacing to the system and other programs, access, and output

 Controls can be preventative, detective, or corrective

Device vs. SW Security Division b/t SW security and device security deals with providing security at the beginning stages of SW development vs. providing devices that protect the perimeters of networks

Perimeter devices are more often considered that SW development b/c:

1. In the past, it was not crucial to implement security during the SW development stages; thus, programmers do not practice these procedures

2. Many security professionals are not SW developers 3. Many SW developers do not have security as a main focus

4. SW vendors are trying to rush their products to market with their eyes set on functionality not security

5. Computing community is used to receiving SW with bugs and applying patches 6. A combo of the preceding.

Environment vs. Application Controls

SW controls can be implemented by the OS, application or through DB mgmt controls, and usually a combo of all 3.

Complexity of functionality Programmers and application architects need to find a happy medium b/t necessary functionality of the program, security requirements, and the mechanisms that should be implemented to provide security.

Data types, format and length

 Buffer overflows are caused by the program not making sure that only the right amount of info is accepted.

 Data also needs to be in the right format and data type and be reasonable so they are not passed to calculations and logic procedures

Implementation and default issues

 When a security application or device is installed, it should default to NO ACCESS.

 Fine line b/t user friendliness, functionality, and security

 If an application is userfriendly, it is probably not secure because if requires a lot of extra coding.

 Implementation errors and misconfigurations are common issues that cause a majority of security issues in network environments.

Failure States  If an app fails it should return to a safe and more secure state

 If an app fails and is executing in privileged state, these processes should be shut down properly and released to ensure that disrupting a system could not provide compromises that could be expoited.

DB Mgmt DBMS – usually a suite of programs used to manage large sets of structured data with ad hoc query

capabilities for many types of users

Database – a collection of data stored in a meaningful way that enables multiple users and

applications to access, view, and modify data as needed.

 DB is the mechanism that provides structure for data that is collected.

DB Jargon Record – collection of related data items File – Collection of records of the same type DB – cross-referenced collection of files DBMS – Manages and controls the DB Base Relation – A table stored in a DB Tuple – a row in a 2 dimensional DB Attribute – A column in a 2 dimensional DB

Primary Key – Columns that make each row unique (table must include a primary key for every row) View – Virtual relation defined b the DB to keep subjects from viewing certain data

Foreign Key – Attribute of one tale that is the primary key of another table Cell – Intersection of a row and column

Schema – Holds data that describes a DB

Data Dictionary – Central repository of data elements and their relationships.

DB Models Defines the relationships b/t different data elements, dictates how data can be accessed, and defines acceptable operations, type of integrity offered, and how the data is organized.

Relational DB model Uses attributes (columns) and tuples (rows) to contain and organize info.

 Most widely used model

 Present info in the form of tables

 Composed of 2 dimensional tables, and each table contains unique rows, columns, and cells.

 Primary key is a field that links all the data w/in a record to corresponding value.

 An app uses its procedures to obtain data from the DB. DB does not actually provide procedures

Hierarchical DB model Combines records and fields that are related in a logical tree structure.

 Parents have 1 child, many children, or no children

 Tree structure contains branches, and each branch has a number of leaves, or data fields

 Useful for mapping one to many relationships

Distributed DB model Has data stored in more than one DB, but it is logically connected.

 Model enables different DB to be managed by different admins.

balancing, fault tolerance, and shifting of users is quite high

Object-oriented DB Designed to handle a variety of data. Objects w/in the DB contain info that is used to access the objects actually containing these different data types and defines their properties.

 More dynamic in nature when compared to a relational DB b/c objects can be created when needed, and the data and procedure go with the object when it is requested

 Has classe

 s to define the attributes and procedures of its objects

 Can be used to dynamically build different web pages for different users depending upon their requests and input to a particular web site.

 The objects are used to build the page, and the procedures w/in the objects dictate how the data w/in the objects will actually be used to perform their tasks.

DB Interface Languages 1. ODBC – Open DB Connectivity – An API (App Programming Interface) that allows an app

to communicate with a DB either locally or remotely.

 The app sends requests to the ODBC, which in turn translates then into DB commands

 ODBC tracks down the necessary DB driver for the app