A Security Recommendations Report Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

This security recommendation report is for HotSource1 Company which is an established Web Development company, since almost 10 years. As per the information provided, this company have already developed some web applications for Australia's largest companies and for international clients as well.

Now they have started outsourced payroll software, called EPayX1, hosted and managed by themselves for their clients. This payroll system and services accounted 65% of company's 65% revenue and growing in late 2009 and expected to be 80-90% by the end of 2011. Until now, HotSource1 is number one company in web development and because of its good reputation and goodwill; their products had been rarely tested. But now for their latest product payroll software, their clients want to have a penetration test before they sign the final purchase order.

A few penetration tests have been done by security consultants on behalf of their clients and major vulnerabilities found in company's web applications. Such as SQL Injection, Cross-Site Scripting (XSS), Broken Authentication and Session Management, Insecure Direct Object References, Cross-Site Request Forgery (CSRF), Security Misconfiguration(NEW), Insecure Cryptographic Storage, Failure to Restrict URL Access, Insufficient Transport Layer Protection, Unvalidated Redirects and Forwards (NEW)

James Jenkins, the CEO of the company realises that the company needs a CSO (Chief Security Officer) for the security aspects of the web application.

SafeInsurance is the key client of the company and is about to sign a $10 million contract. Nigel Wishes is the CIO of this company and wishes to have a penetration test for security assurance before signing the deal.

RestAssure is a leading Information security consulting company, has been working for SafeInsurance for over 5 years. Colin Competent is their Principal Security Consultant.

Contents

Background:

HotSource1 is an established Web Development company, since almost 10 years. As per the information provided, this company have already developed some web applications for Australia's largest companies and for international clients as well.

Now they have started outsourced payroll software, called EPayX1, hosted and managed by themselves for their clients. This payroll system and services accounted 65% of company's 65% revenue and growing in late 2009 and expected to be 80-90% by the end of 2011. Until now, HotSource1 is number one company in web development and because of its good reputation and goodwill; their products had been rarely tested. But now for their latest product payroll software, their clients want to have a penetration test before they sign the final purchase order.

A few penetration tests have been performed by security consultants on behalf of their clients. As per the result of these penetration tests, major security vulnerabilities have been detected in some of company's applications and in payroll software as well. (References: case study provided by USQ)

The major vulnerabilities detected in the penetration tests are as follows:

Injection:

The first vulnerability detected in the recent penetration test is Injection, also known as SQL Injection. The most commonly used form of these attacks is direct insertion of codes into user-input variables that are concatenated with SQL commands. The attacker inserts the malicious codes into strings which are passed to an instance of SQL Server for execution. If the attacker is a skilled person or doing it with determination, then the parameterized data can be manipulated. (SQL Injection, SQL Server 2008 R2)

Cross-Site Scripting (XXS):

There is no proper security to overcome XXS attack as described in the penetration test. Cross-Site Scripting is security attack. The attacker inserts the malicious coding through a link and it appears trusted source. When someone clicks on the link the emended programming is submitted and the attacker can steal information. It is much similar to SQL Injection attack. (The leading software quality management and testing conference, Citigate central Sydney, 26-27 Oct)

Broken Authentication and Session Management:

The penetration test shows the authentication and session management applications are not implemented correctly and there is no security for these applications. The attacker can compromise with passwords, session tokens and also can assume other user's identity. (OWASP Top Ten).

Insecure Direct Object References:

The access controls are not defined properly. As per the computer language an object can be anything such as file, folder, directory or database key. When the developer sends a reference to the internal implementation object as described above, it leads to direct object reference. The attacker can access unauthorised data without any predefined access control. (OWASP Top Ten)

Cross-Site Request Forgery (CSRF):

The other major weak point of company's web applications is Cross-Site request forgery also known as hostile linking. It is a type of malicious attack like SQL Server Query. It forces the user to execute some unwanted data or actions. Mostly it happens when the user logged into trusted sites. (Cross-site request forgery, Webopedia)

Security Misconfiguration (NEW):

The other vulnerability detected in the penetration test is security misconfiguration. It is detected that the configuration for applications, application server, framework, web server, database server and the platform is not good even not secure at all. All the settings should be securely default and software should be up to date as well.

Insecure Cryptographic Storage:

It is also detected in the penetration test that there is no proper protection for sensitive data with appropriate encryption such as passwords, authentication and SSN's. The attacker can easily access user's data and also can manipulate it.

Failure to Restrict URL Access:

As per the penetration test, it is detected that there no proper security access controls to check access rights for website links or buttons. The attacker can easily access these pages and retrieve sensitive information.

Insufficient Transport Layer Protection:

It is also detected in the penetration test that there is applications failure for the encryption, authentication and protection of the confidentiality and integrity of sensitive network traffic. Sometimes they use expired or invalid certificates and weak algorithms.

Unvalidated Redirects and Forwards (NEW):

The next vulnerability detected in the recent penetration test is that sometimes the web applications redirect and forward users to other web pages that could be untrusted. There is no proper validation for all these tasks and as a result malware or phishing attacks could be happen.

Recommendations:

As we all know that in today's world software created is not secure 100%. So in order develop good software the security concerns and issues must be kept in mind all the time during the software development cycle. As I am the new CSO for HotSource1 it's my job to determine and focus on the vulnerabilities detected on the Hotsource1's applications. It's my job to contact CEO of Hotsource1, James Jenkins. From the CEO I knew that the Key client of Hotsource1 is SafeInsurance who is willing to sign a $10M for the assurance that their payroll system is developed securely. SafeInsurance CIO, Nigel Wishes will be assured by me and contact him for what I have done for the security. I studied the problems aroused in the payroll system of Hotsource1. I found different vulnerabilities in the payroll software and different standardizations need to be followed. I am explaining all the prevention steps for the vulnerabilities, standardizations to be followed and methodologies as follow.

As I have already mentioned about different vulnerabilities in the background, I will recommend here some of their prevention methods and which are as follows

A1-Injection:

Prevention: Untrusted data should be separated from commands and queries. Safe API and Positive input validation can be used.

A2-Cross Site Scripting (XSS):

Prevention: Untrusted data should be separated from active browser. Properly escape all untrusted data and positive input validation can be used.

A3-Broken Authentication and Session Management:

Prevention: XSS flaws must be avoided and single set of authentication is required.

A4-Insecure Direct Object References:

Prevention: Check access and use per user or session indirect object references can be used.

A5-Cross Site Request Forgery (CSRF): Prevention: Inclusion of an unpredictable token in the body or URL of each HTTP request can be used to prevent CSRF.

A6-Security Misconfiguration:

Prevention: A repeatable hardening process, process for keeping deploying all new software and patches, strong application architecture and running scans frequently are required.

A7-Insecure Cryptographic Storage:

Prevention: sensitive data should be encrypted properly using passwords.

A8-Failure to Restrict URL Access:

Prevention: authorization and authentication policies should be used.

A9-Insufficient Transport Layer Protection:

Prevention: Require SSL for sensitive pages, putting secure flags, valid certificate should be used and only strong algorithms should only be supported for the prevention from this flaw.

A10-Unvalidated Redirects and Forwards:

Prevention: redirects and forwards should not be used.

These are the 10 vulnerabilities listed for 2010 software security recommendations. As I know from the study and background history of the outsourced payroll history, (EpayX1), only 8 vulnerabilities from the above list were included in the software security process. Among these 10 vulnerabilities, Security misconfiguration and Unvalidated redirects and forwards were added in 2010. So, as a CSO of Hotsource1 I must focus on these vulnerabilities. 2 Vulnerabilities were removed in the list of 2010 from that of 2009 and 2 new vulnerabilities were added. The removed vulnerabilities are:

Malicious File Execution

Information Leakage and Improper Error Handling.

New Vulnerabilities were not included in the list in 2009 so the payroll software was affected by the new vulnerabilities and was in high risk due to it. So as a CSO for Hotsource1, my primary concern will be focused here.

The best ten practices that are recommended to the stakeholders as a CSO for the Hotsource1 develop secure software are:

1. Try to protect the Brand our Customers Trust

2. We should know about our Business and Support it with Secure Solutions

3. We should understand the Technology of the Software

4. We should always Ensure Compliance to Governance, Regulations, and Privacy

5. We should study and know the Basic Tenets of Software Security

6. We should ensure the Protection of Sensitive Information

7. We should design Software with Secure Features

8. We must develop Software with Secure Features

9. We have to deploy Software with Secure Features

10. Educating our self and others on How to Build Secure Software will help us to be safe from flaws and threats.

DIFFERENT TECHNIQUES RECOMMENDED TO DETECT SOFTWARE VULNERABILITIES ARE:

Different techniques can be used for detecting the software vulnerabilities. They are grouped into two categories:

Static Technique: This test is applied directly to the source code without running application. There are different techniques for this process as listed below:

a. Pattern matching b. Lexical analysis c. Parsing d. Type Qualifier e. Data flow analysis f. Taint analysis g. Model checking

Dynamic Technique: In this technique the program code is executed first and then analysed the behaviour. There are different processes for this they are listed below:

Fault Injection b. Fuzzing Testing c. Dynamic Taint d. Sanitization

Practice standards

Being the CSO I will satisfy payroll software with ISO 2700(1799) standard and COBIT controls. Today many organisations produce information security policies which are derived from ISO 2700(1799). So I will also produce this standard in payroll software so that the users will be very satisfied with our updated software. The best practice standard for security purpose in Australia is shown in the diagram as below.

NATIONAL LEGISLATION

TPA, PRIVACY ACT LEAGLE BEAGLE

INDUSTRY REGULATIONS

UCCC VISA PCI LEAGLE BEAGLE

NATIONAL STANDARDS

INDUSTRY STANDARDS ISO17799 AS 4360 SECURITY REVIEWER

OWASP CRITERIA, ITIL, COBIT, OWASP

GUIDE OWASP TESTING BUSINESS

ORGANIZATION

INFORMATION SECURITY POLICY

CSO, CIO

Dependencies and Critical Success Factors:

Security of information system is very valuable in all areas of private, government business and software development. Better information technology with better security system is widely accepted and better supported by the users worldwide. The payroll system of Hotsource1 had been affected by the major vulnerabilities. As being the CSO for Hotsource1 I have pointed out some key critical success factors for getting the job done.

All the formal documentation of roles, accountabilities, responsibilities and the indicators which measure the key performance should be always signed by all key stakeholders. For the relevance, this document must be maintained as a living document and need to be periodically reviewed and updated.

The formal documentation of all new information system programs should be divided into groups of projects that deliver the final outcome. Every end of the small projects needs to be reviewed in a timely manner to assess the total viability of the program. If this is done then it would be an easier way to manage the risks, issues, benefits, program management activities and lessons learnt.

There should be a clear definition of the project scope and time management with the stakeholders sign off.

If the project is large then it should be divided into different stages for the easiness. Every project must follow the project management stages like planning, controlling executing, implementing and executing. Reviews of each stage must be performed. Reviews are an important part of the project. Different stages of project are, Initiating, Planning, Executing, Monitoring and controlling, closing.

Quality management must be done and the outcome must have quality so that the stakeholders and board members must be assured about the software. This process must be applied at all levels of programs.

Cost management must be done.

Project stakeholders are the people who are affected by the project outcome. They include the project sponsor, support staff, project team members, users and even vendors. The project manager must take adequate time to build and manage relationships.

Risk assessment, mitigation strategies and control mechanisms must be implemented at the agency level and need to coordinate through the recently established Hotsource1 security committee.

The future contracts must be designed carefully so that all key stakeholders have certain responsibilities assigned to them for the acceptance and signoff of deliverables.

All the stakeholders must challenge the assumptions made in the planning stage.

Articulation of the works statement must be done clearly to have a good communication between deliverables and key performance indicators.

Signing of scope and software development requirements must be controlled.

Business process mapping needs to be done for the analysis of the impact of the new system on the current business system.

While updating the payroll software the difficulties in the standardizing them across the internal business and the time taken must be clearly understood.

Top Management

Industry group delivery heads Business units heads

Auditors IT Manager

Client side Security Specialists

Business Analysts Application Owners

Quality assurance managers Developers/Coders

Technical Architects Project Managers

Figure 1: The SDLC Stakeholders

Since I do not have that much expertise in the field of the application development, I need support from the application development expert. He must help me and coordinate me in this project of Hotsource1 for the update of the payroll software.

Journal:

Date of research activity / discussion

Topics researched or discussed

Time duration of activity

26-09-2010

USQ Study Desk and assignment requirements (At home)

2 hours

30-09-2010

USQ Study Desk social forum and three threads on discussion forum (Home)

3 hours

01-10-2010

Meet group member Parshuram and discuss about the assignment (USQ Campus)

30 minutes

04-10-2010

Study guide Module 9 (Home)

2 hours

05-10-2010

Went to Mount Druitt Library

1 hour (Internet search)

2.5 hour (Study)

08-10-2010

USQ LAB 3, OWASP (USQ Campus and Home)

2 hours

3 hours

10-10-2010

OWASP, USQ Study Desk

(Parsuram's house Rockdale)

6.5 hours

14-10-2010

Finalise assignment and PowerPoint presentation (Home and emails to each other)

3 hours

4.5 hours

15-10-2010

USQ LAB 3, Finalising PowerPoint presentation and submission (USQ Campus)

5 hours

18-10-2010

Hope to be preparing for presentation at Parsuram Rijal's house, Rockdale

Approximately 3 hours

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.