A Checklist for Developing Defenses

Previous page
Table of content
Next page

Step

Description

Analyze source code.

Use automated security checking software such as Flawfinder, RATS, or ITS4 to analyze the source code of your application for security problems. Get them here:
http://www.dwheeler.com/flawfinder/
http://www.securesw.com/rats/
http://www. cigital .com/its4/

Qualify vendors .

Before purchasing critical closed-source applications from a vendor, interview them and ask them about their development practices related to security. It isn't unreasonable to ask if their software has been audited for security by a third party and whether or not that third party has provided some form of certification.

Use open source software with care.

When using open source software, download the software only from approved and legitimate maintainers and check the package checksums, PGP keys, or hashes to ensure the packages haven't been tampered with. Have your developers review the source code to see if there are any obvious flaws and make good decisions based upon their review as to what software packages to use in your environment. If you find flaws, help the developers fix them or let them know about the problems.

Review source code.

For internally developed applications as well as with open source, perform frequent manual/human source code review of the application and have more than one person review the output and interpretation of any automated source code scanning tools used. The idea that a piece of software is safer because something is open source (and more specifically because thousands of people may have seen the code) is flawed thinking. Software flaws are often inconspicuous and even the best developers can read over a few lines of code hundreds of times without seeing the problem. This idea of open source being more secure often gives administrators a false sense of security. We believe open source and community review is critical, but don't let it give you a false sense of security.

Use third-party audits .

For publicly facing or any critical applications that could embody confidential or customer information, consider using a third-party firm to assist with your source code review/audit process.

Monitor logs.

Monitor the output of the log files that your applications generate and review them regularly for any suspicious activity. An ounce of prevention is worth a pound of cure.

Implement file integrity solutions.

Consider implementing a file integrity solution in which checksums of critical system files are tracked for changes, and monitor the output of the comparison reports .

Use stack protection.

Implement stack protection or Mandatory Access Control List (MACL) features in your operating system or consider deploying your application on a system that supports these features to improve your resilience to buffer overflows and other attacks.

Train your developers.

Send your software developers and system administrators to security training classes and seminars to enhance their knowledge and understanding of security-related practices they are following in the development and deployment of your applications.

Create a sinkhole network.

Create a sinkhole network or drain to capture egress scanning and other illegitimate traffic (in general and at the time of an attack). Learn more about creating sinkholes in Chapter 10.

Create a darknet.

Create a darknet to monitor ingress scanning activity or probes. See Chapter 10.

Create internal security zones.

Control access to protected resources using firewalls and packet filters both at the border of your network and internally as well. Place your servers in a separate zone from your client workstations and control what egress traffic your servers are allowed to generate, especially on or towards the Internet.

Recommended Reading

  • Hacking: The Art of Exploitation, by Jon Erickson (No Starch Press, 2003)

  • Hacker Disassembling Uncovered, by Kris Kaspersky, Alist LLC (A-List, 2003)

  • Exploiting Software: How to Break Code, by Greg Hoglund and Gary McGraw (Addison-Wesley, 2004)

  • Writing Secure Code, by Michael Howard and David LeBlanc (Microsoft Press, 2004)

  • Building Secure Software: How to Avoid Security Problems the Right Way. by John Viega and Gary McGraw (Addison-Wesley, 2002)

  • Secure Coding Principles and Practices, by Mark G. Graff and Kenneth R. van Wyk (O'Reilly and Associates, 2003)

  • Open Source Digital Forensics (http://www.opensourceforensics.org/)

  • SANSInternet Storm Center (http://isc.sans.org//index.php)

  • Cryptogram Newletter (http://www.schneier.com/crypto-gram.html)

  • Top 75 Security Tools List (http://www. insecure .org/tools.html)


Previous page
Table of content
Next page
Extreme Exploits. Advanced Defenses Against Hardcore Hacks
Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed)
ISBN: 0072259558
EAN: 2147483647
Year: 2005
Pages: 120
Authors: Victor Oppleman, Oliver Friedrichs, Brett Watson
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
Documenting Software Architectures: Views and Beyond
Building Web Applications with UML (2nd Edition)
The Java Tutorial: A Short Course on the Basics, 4th Edition
An Introduction to Design Patterns in C++ with Qt 4
Programming .Net Windows Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy