Secure Software Design with UML - PowerPoint PPT Presentation

About This Presentation
Title:

Secure Software Design with UML

Description:

Secure Software Design with UML Secure UML: Requirements System Architecture/Design Test This is partial coverage of the system. We start with a small portion of the ... – PowerPoint PPT presentation

Number of Views:506
Avg rating:3.0/5.0
Slides: 43
Provided by: lincke
Learn more at: http://www.cs.uwp.edu
Category:

less

Transcript and Presenter's Notes

Title: Secure Software Design with UML


1
Secure SoftwareDesign with UML
  • Secure UML
  • Requirements
  • System Architecture/Design
  • Test

2
Acknowledgments
  • References are provided per page. Most diagrams
    are original, but ideas are adapted from
    references.
  • Author Susan J Lincke, PhD
  • Univ. of Wisconsin-Parkside
  • Contributors/Reviewers
  • Tim Knautz, Janine Spears PhD, David Green
    PhD, Megan Reid
  • Funded by National Science Foundation (NSF)
    Course, Curriculum and Laboratory Improvement
    (CCLI) grant 0837574 Information Security
    Audit, Case Study, and Service Learning.
  • Any opinions, findings, and conclusions or
    recommendations expressed in this material are
    those of the author(s) and/or source(s) and do
    not necessarily reflect the views of the National
    Science Foundation.

3
Security Assures CIA
  • Confidentiality Limits access of authorized
    users and prevents access to unauthorized users
  • Integrity The reliability of information
    resources and data have not been changed
    inappropriately
  • Availability When something needs to be accessed
    by the user, it is available

4
Security Vocabulary
  • Asset Diamonds
  • Threat Theft
  • Vulnerability Open door or windows
  • Threat agent Burglar
  • Owner Those accountable or who value the asset
  • Risk Danger to assets

5
Registration System Use Case
  • Register Clients register to obtain
    documentation by providing name, email, job
    function
  • Provider Send periodic updates to Clients to
    indicate changes in materials

6
OCTAVE Security Requirements Process
  • Risk Threat and vulnerability(s) -gt negative
    impact
  • Identify critical assets
  • Define security goals
  • Identify threats
  • Analyze risks
  • Define security requirements

7
Step 1. Identify Critical Assetsvia Business
Process Diagram
  • Contact Info Name, email, job function
  • Materials Course materials
  • Comments Feedback, saved sent as email

8
Step 2. Define Security Goals
Assets Confidentiality Integrity Availability
Contact Info No PII maintained Require accurate list of interested persons Weekly backup
Materials Public with login Accurate tamper-proof 24/7 preferred
Comments Confidential pref. Accurate tamper-proof Weekly backup, email
  • Impact Rating
  • Low Priority
  • Medium Priority
  • High Priority

9
Step 3 Identify Threats
What it is Software Techniques Advanced
Security
STRIDE General Threats
10
Step 3. Identify Threatsvia Misuse Case Diagram
  • Which misuse cases relate to
  • Confidentiality?
  • Integrity?
  • Availability?
  • Definitions
  • DOS Denial of Service
  • ?misuser
  • Misuse case

11
Step 3 (contd) Expand DOS Misuse Case
Overflow DB Fill disk with records Send
Continual Requests (Distributed Denial of
Service) No processor remains
12
Step 3 (optional)Threat Tree
13
Step 3 contd Lightweight Misuse CaseChange
Valid Data
User Intention System Response Security Threat
User requests Reg. form Attacker enters form input but appends additional SQL commands System provides form System processes input SQL injection Obtain (client) list Change valid data
14
Step 3 Contd Mid-weight Misuse CaseDOS
Misuse Case Denial of Service
Summary An attacker issues repeated Registrations, resulting in filling the database with fake data, and depleting system and file resources.
Basic Path Do forever The attacker requests a Registration form The attacker sends random fake data in the form Enddo
Alternative Paths AP1. Repeat data is entered
Mitigation Points MP1. At BP Step 2-3 use CAPTCHA in Registration form to avoid bot attack. MP2. At BP Step 3 validate data no duplicates, data type matching
15
Step 3 Contd Mid-weight Misuse CaseCircumvent
Input
Misuse Case Circumvent Input
Summary Deviant Client bypasses registration by going directly to the download web page.
PreCondition Client does Google search and finds link to download web page OR obtains link reference from a colleague
Basic Path 1. DeviantClient obtains web reference from Google or friend. 2. DeviantClient uses web reference to download materials without registering.
Mitigation Points MP1 Web page has no other web references. MP2 Create dynamic web page with unique reference. This web page is accessible only if a key is provided during registration. Key expires in one week.
Related Business Rule Users must register to obtain materials.
Mitigation Guarantee MP1 and MP2 solves Google search problems. MP2 could be used by friends for one week, which is acceptable.
16
Step 4 Analyze Risks
Threat Impact Likelihood Priority IL
DOS 9
SQL Attack (affects integrity, confidentiality) 9
Invalid Input 3
Circumvent input 6

17
Step 5 Define Security Requirements
Definitions
18
Stage 5 Define Security RequirementsModify
Register Use Case Desc.
Use Case Register
Summary Client registers to obtain access to download materials.
Preconditions Client is at Welcome Web Page
Basic Path The client selects the Obtain Materials link. The system asks the client for name, email address, job function, and CAPTCHA. The client enters all three required information. Include (Validate Registration) The system displays the URL for the download materials.
Alternative Path AP1. If an attack is detected, no URL is displayed.
Postcondition The client has access to the download materials. The database contains the client contact information.
19
Stage 5 Define Security RequirementsValidate
Registration Security Use Case
Use Case Validate Registration
Summary This include validates a registration.
Precondition A name, email, job function, and Captcha are provided.
Basic Path The user enters a name, email, and job function in Step 3 of Register Do until valid CAPTCHA. Rerequest form with new CAPTCHA The system checks for valid characters, to prevent SQL injection. The system checks for valid name, email and job function If email is unique in database Save record to database The system returns success.
Postconditions The input has been checked for bot attempt, SQL attempt, and validity.
20
Business Process Diagram Enhancement
Loc
Loc
Local Access
AD
AD
Attack Detection
Pr
Pr
Privacy
21
Secure Design
  • Secure UML

22
Mis-Sequence Diagram
23
State Diagram
  • State Diagrams can ensure software
  • Retains proper order of processing
  • Recognizes out-of-sequence steps
  • Can change behavior based on time or past history

24
Documenting Security Packages
Sanitizer
ltltSecurity Packagegtgt Sanitize Input ltltRisk
Factorgtgt 9 ltltSecurity Descriptorgtgt Injection
Attack Defense
Registration
ltltprotectsgtgt
CAPTCHA
ltltSecurity Packagegtgt ltltRisk Factorgtgt
9 ltltSecurity Descriptorgtgt DOS Defense ltltSecurity
Descriptorgtgt 3rd Party S/W
25
Open Groups Common Data Security Architecture
Application Application Application Application Application Application
Common Security Services Manager Application Programming Interface Common Security Services Manager Application Programming Interface Common Security Services Manager Application Programming Interface Common Security Services Manager Application Programming Interface Common Security Services Manager Application Programming Interface Common Security Services Manager Application Programming Interface
System Security Services (Digital Certificate, key management, integrity services, security contexts) System Security Services (Digital Certificate, key management, integrity services, security contexts) System Security Services (Digital Certificate, key management, integrity services, security contexts) System Security Services (Digital Certificate, key management, integrity services, security contexts) System Security Services (Digital Certificate, key management, integrity services, security contexts) System Security Services (Digital Certificate, key management, integrity services, security contexts)
Cryptographic Services Mgr. Trust Policy Services Mgr. Authorization Computation Mgr. Certificate Library Mgr. Data Storage Library Mgr. Elective Module Mgr
CS Library Trust Library AC Library Cert. Library DS Library New Services Lib.
26
Security DiagramsSecurity Patterns
  • Authenticator Pattern
  • Authorization Pattern

27
Misuse Deployment Diagram
  • Shows attacks/defenses
  • Shows where attacks are handled
  • Useful for
  • Security Planning
  • Audit
  • Test - QC
  • S/W Development

28
Secure Test
  • Secure UML

29
BugBar
Bug Bar Standard for Tampering and Repudiation Severity
Permanent modification of any user data in a common scenario that persists after restarting the OS/application. High
Permanent modification of any user data in a specific scenario, or temporary modification of user data in a common scenario. Moderate
Temporary modification of data in a specific scenario that does not persist after restarting the OS/application. Low
30
When to Release Software?
  • Attack Surface
  • Bug Bar
  • Knight suit of armor protects attack surface by
    covering most of his body
  • Software where are (new) vulnerabilities that
    are not mitigated?
  • Security threshold that must be achieved for
    release

31
Testing
  • Software Testing Software works as it should
  • Vulnerability Testing Automated testing checks
    for holes
  • Penetration Testing Probes security risks
    addressing threats to policy
  • Reliability testing Can s/w survive unusual
    conditions faults or unusual operating
    conditions?

32
Software Testing
  • Static Testing Analyzes code (not execution) for
    potential bugs warnings
  • May be an option on a compiler
  • Fuzz Testing generates random input to test
    exceptions, incorrect input

33
Vulnerability Testing
  • Buffer Overflow Can long input affect service?
  • Script Injection Can input with scripts
    execute?
  • Numeric Overflow Can a large number become a
    negative or small number?
  • Race Condition Can multiple threads cause
    errors?
  • Configuration Issues Can software be installed
    improperly, causing abuse?
  • Programmer Backdoors Have programmers left hooks
    providing entry or information?

34
Mature Software Practices
Software Assurance Maturity Model (SAMM) Software Assurance Maturity Model (SAMM) Building Security In Maturity Model (BSIMM) Building Security In Maturity Model (BSIMM)
Governance Strategy Metrics Governance Strategy Metrics
Governance Policy Compliance Governance Compliance Policy
Governance Education Guidance Governance Training
Construction Threat Assessment Intelligence Attack Models
Construction Security Requirements Intelligence Security Features Design
Construction Secure Architecture Intelligence Standards Requirements
Verification Design Review Secure Software Development Life Cycle Touchpoints Architectural Analysis
Verification Code Review Secure Software Development Life Cycle Touchpoints Code Review
Verification Security Testing Secure Software Development Life Cycle Touchpoints Security Testing
Deployment Vulnerability Mgmt Deployment Penetration Testing
Deployment Environment Hardening Deployment Software Environment
Deployment Operational Enablement Deployment Configuration Mgmt. Vulnerability Mgmt.
35
Agile Development
  • Security training is important!
  • Include Evil User Stories in every Sprint
  • "As a hacker, I send bad data in forms, so I can
    modify the database in unauthorized ways."
  • Analyze risk at start of sprint, backlog change
  • Address Security features
  • authentication, access control, input validation,
    output encoding, error/exception handling,
    encryption, data integrity, logging and alarms,
    and data communication security
  • Review code for security
  • Test using code analyzers, fuzz testing,
    auto/manual penetration tests

36
Health First Case Study
Jamie Ramon MD Doctor
Chris Ramon RD Dietician
Terry Medical Admin
Pat Software Consultant
  • Security Requirements

37
Step 1 Identify Critical Assets
  • All of this information is protected by HIPAA
  • HIPAAHealth Insurance Portability and
    Accountability Act
  • HIPAA protects
  • Confidentiality In transmission, on disk, or
    any other form.
  • Integrity All transactions are logged as to who
    did them and why. Hashing (sophisticated
    checksums) are also required.

38
Step 2 Define security goals
Confidentiality Integrity Availability
Patient Information Appointments, Medical history, Treatment, Prescriptions, Bills
Impact Rating Low Priority Medium
Priority High Priority
39
Step 2 Define security goals
Confidentiality Integrity Availability
Patient Information Appointments, Medical history, Treatment, Prescriptions, Bills HIPAA Requirement HIPAA Requirement, Malpractice law suit if accidental death Malpractice law suit if information not available
Impact Rating Low Priority Medium
Priority High Priority
40
Step 3 Identify Threats
  • Medical Admin use cases include
  • Make appointment Patient may phone for an appt.
  • Create Patient Record To make an appt, a minimal
    patient record must exist or be created
  • Register for Appointment When the patient
    arrives for his/her appt.
  • Update Patient Update patient medical history
  • Determine Health Plan Eligibility Ask HMO/PPO
    what the patient is eligible for in coverage
    and conditions
  • Use Case Diagram

41
Step 3 Identify Threats
What it is Software Techniques Advanced
Security
STRIDE General Threats
42
Security Requirements Process
  • OCTAVE Security Requirements Process
  • Identify critical assets
  • Define security goals
  • Identify threats
  • Draw Misuse Diagram from Use Case Diagram
  • Analyze risks
  • Priority Impact Likelihood
  • Define security requirements
  • Draw Misuse Diagram with Security Use Cases
  • Define one Misuse Description (Lightweight or
    Midweight)
Write a Comment
User Comments (0)
About PowerShow.com