CS1021 - Security

name: inverse
layout: true
class: taylor msoe
---
class: center, middle

.title[
  # Developing Secure Software
]

???

* **P** speaker view
* **C** clone slideshow
* **?** help

---
# Talk Overview

## Security Principles — Be Mindful

## Security Practices — Be Conscientious

---
class: center, middle

.title[
  # Security Principles 
]

---
# Integrity

* Only authorized users can manipulate data

--
* All data manipulation via authorized methods/procedures

--
> Encapsulation limits damage

---
# Confidentiality

* Unauthorized access to information is prevented

--
> Leaking data is bad

--
* Even if villain is unable to gain control of your software

---
# Availability

* Authorized users can access the system

--
> May as well not exist

* if cannot be accessed

---
# Principle of Least Privilege

* Grant minimal access rights to tools and data

--
> Limit pain when things go bad

---
# Economy of Mechanism

* Systems should be designed to be as simple and small as possible

--
> Simplicity reduces chance of future errors

---
# Open Design

* Security should not depend on the secrecy of its design or implementation

--
> Security lost if secrets compromised

---
# Psychological Acceptability

* Software should be as easy to use/access as if the security mechanisms weren't present

--
> Difficult security makes people look for alternatives

---
# Fail Secure

* Limit the amount of information exposed when failing

--
> Be careful with error messages

---
# Plan for Failure

* Have a plan for securing systems and recovering from suspected/known security breaches

--
> Swift response GOOD

> Rushed response BAD

---
# Weakest Link

* A system is only as strong as its weakest link

--
> Can't neglect any aspect

---
# Summary of Security Principles

* Integrity
* Confidentiality
* Availability
* Least Privilege
* Economy of Mechanism
* Open Design
* Psychological Acceptability
* Fail Secure
* Plan for Failure
* Weakest Link

---
class: center, middle

.title[
  # Security Practices 
]

---
# Security Practices

* Be defensive

--
    + Implement as if you are under attack
--
* Prefer having obviously no flaws rather than no obvious flaws

--
    + Clever logic can hide flaws
--
* Avoid duplication

--
    + Maintaining duplicated code is tedious
    + Often doesn't happen
--
* Establish trust boundaries

--
    + Sanitize and validate data when crossing boundaries
--
* Encapsulate

--
    + Provide succinct interfaces
    + Make fields private
    + Avoid accessors
    + Coherent behaviors in interface/class/package/module

---
# Security Practices cont...

* Document security-related information

--
    + Required permissions
    + Security-related exceptions, preconditions, postconditions 
--
* Beware of activities that may use disproportionate resources

--
    + Requesting large image sizes for vector graphics
    + Integer overflows
    + Infinite loops 
--
* Release resources in all cases

--
    + Every `open` should have a `close`
    + Ensure output buffers are flushed
    + If the flush fails, throw an exception

---
# Security Practices cont...

* Purge sensitive information from exceptions

--
    + Exception objects may contain sensitive information
    + Useful when debugging
    + Risky in production
    + E.g., a `FileNotFoundException` may reveal location of a configuration file with sensitive information
--
* Do not log highly sensitive information

--
    + E.g., Social Security numbers and passwords

---
# Security Practices cont...

* Consider overwriting highly sensitive data from memory after use

--
    + Reduces risk of sensitive data exposure from sniffing memory before garbage collector acts
    + Can be difficult
        - Cannot overwrite immutable fields
        - Libraries may make additional copies of data 
--
* Generate valid formatting

--
    + Guards against attacks exploiting special characters as inputs, incorrect escaping, etc... to cause incorrect formatting.
    + Use well-tested libraries for output — If they don't exist, create simple classes with the sole purpose of cleanly handling formatting (so they are easier to test).

---
# Security Practices cont...
 
* HTML/XML/SQL generation requires care

--
    + Sanitize untrusted data before including it in HTML, XML, or SQL. 
--
* Limit the extensibility of classes and methods

--
    + Design classes and methods for inheritance or declare them as final.
    + Left non-final, a class or method can be maliciously overridden by an attacker. 
--
* Validate inputs

--
    + Inputs from untrusted sources must be validate before use. 
--
* Prevent constructors from calling methods that can be overridden

--
    + Constructors that call overridable methods give attackers a reference to `this` before the object has been fully initialized. 
--
* Prefer immutability

--
    + Declaring things as final ensures that they can't be changed maliciously.

---
# Security Practices cont...
 
* Ensure public fields are final

--
    + Only immutable values should be stored in public fields to prevent malicious changes. 
--
* Ensure public static final field values are constants

--
    + public static final means that the field can't be changed
    + If a reference, then reference can't point to a different object
    + Still possible to interact with the reference
    + If reference points a mutable object, it can be used to change it value of the object
--
* Create copies of mutable output values

--
    + Returning a reference to a field from an object gives the caller direct access to that internal field, even if it was declared private. Making a copy of the field and returning a reference to that copy is safer.