We also discuss four practical examples of defense techniques. These are selected because of their good trade-off in effectiveness versus deployment and performance cost:
The following paper is used as lecture notes for this module: Ulfar Erlingsson, Yves Younan, Frank Piessens, Low-level software security by example, Handbook of Information and Communication Security, pages 663-658, 2010.
While the web has undergone a dramatic transformation since the first static HTML documents, the underlying security model has been largely unchanged. However, due to the vastly expanded client-side capabilities in modern web applications, the security model is now more important than ever. Understanding this security model is key to building secure web applications.
In this session we explore how the Same Origin Policy, a 20-year old security policy, is still the most important security feature in the web. We will investigate which restrictions the Same Origin Policy imposes, and how the lack of restrictions actually allows common web vulnerabilities to exist (e.g. Cross-Site Request Forgery, inclusion of untrusted content, etc.).
Overall, you will learn how the security model of the Web can be leveraged to build secure web applications, by carefully applying concepts such as domain separation and origin isolation. Additionally, this session provides you with the necessary context to understand and position the latest security technologies that will be covered throughout the SecAppDev course.
The number of privacy debacles of the last years in social networks, web tracking, NSA/GCHQ surveillance, and mass scale breaches have been adding up. Contrary to claims that “privacy is dead”, the popularity of court cases with national and international implications, like Apple vs. FBI, are indicators that people around the world do care about their privacy, and the ambition to design and maintain systems that respond to relevant privacy issues can no longer be dismissed as “anti-progressivism”. However, assuming it is meant to be more than marketing, getting privacy right is challenging. The emerging field of privacy engineering responds to this challenge. It intends to address the gap between privacy research and and engineering practice by systematizing and evaluating methods, techniques and tools to capture and address privacy issues while engineering information systems. In this lecture, I will give an overview of privacy research paradigms in computer science and the nascent field of privacy engineering
Threat Modeling is a technique used to find flaws in the design of systems. Threat modeling requires some unique skills and broad knowledge about software security in general. This poses a challenge when trying to do threat modeling on a large number of applications. In this talk, we’ll discuss some options for how to do threat modeling at scale, and address some challenges that different development environments (waterfall, agile, CD) can pose when doing threat modeling at scale.
Stream ciphers, block ciphers and hash functions are the three classical types of symmetric algorithms.
A stream cipher generates a keystream of random bits which are exclusive-or'ed with the plaintext. Stream ciphers are often used to provide confidentiality for real-time traffic, such as GSM and Bluetooth.
Block ciphers repeat simple substitution and transposition operations many times on fixed size blocks. The Data Encryption Standard (DES) has been widely used in banking, but is superseded by triple-DES and AES.
Hash functions accept input strings of arbitrary length and produce fixed-length output. A Manipulation Detection Code (MDC) affords integrity protection. Given an output of an MDC, it is infeasible to find the corresponding input and it should be difficult to find colliding inputs. Practical examples are SHA-1, SHA-256 and RIPEMD-160.
A Message Authentication Code (MAC) is a hash function with a secret key that provides data origin authentication. Practical examples are CBC-MAC, based on triple-DES and AES block ciphers.
Gain insight into
Authentication methods are based on something known, owned, biometric, location or evidence of trusted third party authentication.
While public key cryptography is well suited to entity authentication, performance constraints often mandate a symmetric algorithm for encrypting data passed between systems. Key establishment should be linked to authentication, so that a party has assurances that a key is only shared with the authenticated party. The Diffie-Hellman key agreement protocol underlies a host of current technologies such as STS (Station-to-Station protocol) and IKE.
This is a very hands-on session. The session begins by describing the threat model process we use at Cigital. We will walk through an in-class example applying the process to identify potential flaws in a system. The class will then be broken up into small groups and we will spend the majority of the time building a threat model as a number of individual labs. This will be a pen and paper exercise with the instructor providing the necessary materials to the students.
Gain an overview of secure network protocols.
OverviewAs well as being important practical examples of the use of PKIs, networking protocols such as SSL/TLS, HTTPS, SSH and IPsec are also of great interest to the designer of secure systems in their own right. Participants gain an appreciation of how security requirements influence the choice of network technology.
This is a very hands-on session. The session begins by describing the threat model process we use at Cigital. We will walk through an in-class example applying the process to identify potential flaws in a system. The class will then be broken up into small groups and we will spend the majority of the time building a threat model as a number of individual labs. This will be a pen and paper exercise with the instructor providing the necessary materials to the students.
The function of a public key infrastructure (PKI) is to ensure secure delivery and management of public keys. Alternative trust models lead to different key architectures.
Public keys are published by means of digitally signed certificates.
A private key may be compromised, in which case the certificate containing the corresponding public key must be revoked. Many revocation methods are in current use. Publication of Certificate Revocation Lists (CRLs) and checking with an Online Certificate Status Protocol (OCSP) responder are best established.
Three major shifts have transformed the practice of software engineering over the last two decades. In short, these are the shifts from waterfall to agile development, from shrink-wrap software to services, and from the PC to the cloud. I will refer to this transformation as the 'agile turn’. After going over the different tenets of the agile turn based on interviews with developers in the US, we will take time to discuss the challenges and opportunities it offers to addressing privacy. To conclude, I will present some recent academic research addressing aspects of the agile turn and relate those to the challenges to the requirement of privacy by design in the General Data Protection Regulation (GDPR).
This lecture presents an overview of the Snowden revelations and the impact on our understanding of the security of our networks and systems. In particular, we discuss the known ways in which sophisticated attackers can bypass or undermine cryptography. We also speculate on how three-letter agencies could be breaking most encryption on the Internet. We relate this to the latest developments in cryptanalysis and discuss which cryptographic algorithms and implementations to select to stay protected.
Application architects need to make informed choices to use cryptography well:
Learning objectives
- understand the principles of distributed consensus
- understand the principles of cryptocurrencies and smart contracts
- understand the strength and limitations of Bitcoin
Overview
After the failure of a large number of innovative payment and currency systems in the 1990s, the rise of Bitcoin, launched in 2009, was surprising. The Bitcoin ecosystem had a bumpy start, but driven in part by the demand created by the Silk Road and perhaps the Cyprus crisis, the impact grew quickly: the total value of bitcoins rose to several billion US$ in the first two years (currently it is around US$ 14 billion), hundreds of alternative cryptocurrencies (altcoins) were created and large mining entities were established, mostly in China. The ideas behind Bitcoin have opened up new approaches to cryptocurrencies, but also to distributed consensus, distributed naming, secure timestamping and commitment. One of the aspects that have drawn the most interest is the smart contract (that is, cryptographically enforceable agreements) on top of the Bitcoin ecosystem (or on other systems such as Ethereum). Even if some observers predict that the Bitcoin ecosystem will disappear or become irrelevant, the core ideas have already made a major impact.
Unlike any other payment system or cryptocurrency created before, Bitcoin allows for fully decentralized generation of currency and fully decentralized verification of transactions. The core idea is the blockchain, a public ledger that registers all transactions under the form of a hash chain; the blockchain describes the state of the system, that is, it specifies who owns which amount. Transactions themselves are validated based on a scripting language, which creates some flexibility. In a distributed system, a central problem is how to achieve consensus (e.g., how to deal with double-spending transactions). Transactions are broadcast over a low-latency peer-to-peer network that offers some robustness against censoring or sabotage. This approach allows the Bitcoin ecosystem to achieve distributed consensus in a practical way assuming that players are rational (something which is known to be unachievable without additional assumptions such as rationality) albeit at the cost of a major computational effort in terms of mining.
While the financial industry is less interested in the anarchistic aspects of the Bitcoin ecosystem (the governance model and the uncontrolled money supply), the distributed consensus idea is very appealing and is believed to have a very high business potential for a large number of financial transactions and interactions. In 2015, about US$ 1 billion was invested in venture capital in the area of blockchain and cryptocurrencies and the Aite Group predicted in 2016 that blockchain market could be worth as much as US$ 400 million in annual business by 2019. The idea of a public ledger for timestamping and registering documents using hash chains is more than 25 years old, as witnessed by the efforts of Surety Technologies in the early 1990 and the ISO standardization in this area in the mid 1990s –- but these earlier approaches did use a central authority to register all transactions. Bitcoin has inspired many actors to revisit those ideas by `taming’ the Bitcoin ecosystem into a private or permissioned ledger, where only a few selected actors have control over new currencies or verification of transactions (to get rid of distributed control) and where access to the ledger can be restricted (to get rid of full transparency). Some of the notable developments in this context are the open source initiative of IBM that is called Hyperledger and Intel's experimental Sawtooth Lake architecture.
May 2018, a date to keep in mind... a new privacy regulation comes into force in Europe.
The General Data Protection Regulation (GDPR) introduces a new set of constraints that has to be followed by any company doing business in Europe.
During this session, participants will learn how to translate GDPR into a set of security tasks, which can be implemented within an application.
We will describe what do we mean by Personal Information and which risks are related to such kind of data. Based on data handle by the application, the participants will discover why a Privacy Impact Assessment (PIA) is a useful tool. We will walk into the Processing Purpose, Data life cycle Management, Data Flow Diagram, Data classification, Data Accuracy (such as Correction, Destruction, Blocking, Retention period), Third Party, Complaints management and Privacy Notice.
From these notions, we will describe which security controls can be put in in place. We will introduce the relation between Privacy and Security, the notion of Privacy by Design and how the Secure Development Lifecycle (SDLC) can be impacted. The last part of this session will introduce the need data Breach detection.
Use the Ashley Madison Data Leakage case to explore application controls related to: Website & User Profile, Mobile applications, Localization / Tracking, Chat, Profiling, Sharing information with third parties
The participants shall break-out in groups to work on the case
A presentation of the groups results shall be delivered to the class
The security testing of software is inherently difficult. This is because vulnerabilities typically emerge as unanticipated interactions in the design of a software component, as implementation artefacts that were not specified in the design, or as bugs, where design and implementation deviate. Thus, when searching for breaches of security properties we are looking for design or implementation details that can be abused in ways not considered by the designers, developers and testers of a software component.
Formal methods promise to systematise this search for needles in haystacks and use mathematical rigour to provide convincing arguments for the absence of such needles. Yet, with few exceptions in safety-critical systems engineering, the adoption of formal techniques in software development processes is low. Furthermore, formal methods traditionally focus on safety aspects of software, i.e., functional correctness and the absence of runtime exceptions of software. In this talk I will outline the advantages and disadvantages of modern approaches to formal software analysis and verification. I will focus on tools and techniques that can be integrated efficiently with testing efforts, in particular in security testing.