SSDLC (Secure SDLC)

• Builds security into each phase of SDLC
• Proactive approach to secure systems
• Leads to better, safer applications

Waterfall Method

• Linear, sequential development
• Each phase must be completed before the next begins

Spiral Method

• Iterative development with risk analysis
• Cycle:
  1. Requirements
  2. Risk Analysis
  3. Prototype
  4. Validation
  5. Repeat with refined requirements

Agile Principles

1. Deliver working software frequently
2. Welcome changes, even late
3. Daily cooperation between business & devs
4. Focus on technical excellence
5. Emphasize teamwork

Scaled Agile Framework (SAFe)

• Designed for large organizations
• Enables coordination across multiple teams
• Supports collaboration and effective product delivery

Scrum (Agile Method)

• Popular Agile development framework

Scrum Roles:

1. Product Owner – Visionary, often the customer
2. Scrum Master / Team Coach – Facilitator/manager
3. Scrum Team – Developers

RAD (Rapid Application Development)

• Emphasizes rapid prototyping
• Uses iterative delivery

Lean

• Focuses on minimizing waste
• Maximizes productivity
• Similar to Agile

Iterative vs. Non-Iterative Models

• Iterative: Spiral, Agile, Scrum, RAD, Lean
  → Multiple rounds of development
• Non-Iterative: Waterfall
  → Each phase is discrete and finalized

DevOps

• Combines Development, Operations, and QA
• Based on Lean and Agile principles
• Goal: Shorten development cycle and enable continuous delivery

DevSecOps / SecDevOps

• Integrates security into every phase of DevOps
• Maintains focus on security best practices

SCA (Software Component Analysis)

• Analyzes custom-built apps for embedded open-source components
• Checks for:
  • Version updates
  • Vulnerabilities
  • Licensing requirements
• Used in IT and software engineering

Software Bill of Materials (SBOM)

• A complete list of components, libraries, and modules in a software product
• Helps detect malicious implants or unauthorized files

Hierarchical Database

• Organizes data in a tree-like structure
• Examples:
  • Windows Registry
  • Microsoft Active Directory

NoSQL Databases

• Examples: MongoDB, DynamoDB
• Stores unstructured data (e.g., documents)
• Uses key-value pairs
• Commonly used to index the internet

Relational Databases

• Examples: MS SQL Server, Oracle
• Structured using tables with columns and rows

Table Terminology

• Columns = Fields / Attributes / Degrees
• Rows = Records / Tuples

Primary Key Rules (Entry Integrity)

1. Must be unique
2. Cannot be empty

Foreign Key Rules (Referential Integrity)

• Must match a primary key in another table
• Ensures linked records between tables

Database Shadowing

• Hidden copy of DB, delayed updates
• Used for high availability
• Can rebuild using transaction logs
• Not accessible by users

Remote Journaling

• Copies transactions to backup site
• Used for disaster recovery
• Transactions can be replayed to restore DB

Database Replication

• Frequent copying of DB between servers
• Ensures data consistency across locations
• Supports shared access to current data

Data Warehousing

• Large databases storing high volumes of data
• Aggregates data from multiple sources
• Used for specialized analysis techniques

Data Mining

• Technique to search through data warehouses
• Identifies correlated information and patterns

Database Query Languages

DDL (Data Definition Language)

• Defines DB structure/schema
• Used for:
  • Creating tables
  • Modifying columns
  • Deleting DB objects

DML (Data Manipulation Language)

• Manages table records
• Used for:
  • Adding
  • Updating
  • Deleting records

DCL (Data Control Language)

• Manages user access permissions
• Assigns privileges to users

TCL (Transaction Control Language)

• Controls DB transactions
• Used for:
  • Applying changes
  • Rolling back changes

DQL (Data Query Language)

• Retrieves data using SELECT command

Deadlocking (Deadly Embrace)

• Occurs when two users/processes lock resources and wait on each other
• Example:
  • User #1 locks Record A, waits for B
  • User #2 locks Record B, waits for A
• Results in a stalemate

Inference

• Combines non-sensitive info to deduce sensitive info
• Relies on human deduction
• Produces an educated guess

Aggregation

• Combines lower-classified data to derive higher-classified info
• Key traits:
  1. Uses machine processing
  2. Involves classification levels
  3. Produces a definite value

ACID Test (Transaction Integrity)

Atomicity

• All changes take effect or none do

Consistency

• Maintains internal and external consistency

Isolation

• Ensures concurrent operations don’t interfere

Durability

• Completed transactions are permanent

Metadata

• Descriptive data about other data
• Example: File metadata includes creation date, file type, access permissions

Machine Languages

1GL – Machine Languages

• Binary code
• Hardware-specific

2GL – Assembly Languages

• Human-readable machine code
• Uses assemblers
• Still hardware-specific

3GL – High-Level Languages

• Machine-independent
• Examples: C, C++, Python, Java
• Uses compilers/interpreters

4GL – Very High-Level Languages

• Application-specific
• Examples: SQL, macros

5GL – Fifth Generation Languages

• Based on AI problem solving
• May use neural networks
• Cutting-edge technology

Object-Oriented Programming (OOP)

Objects contain:

• Procedures (methods): Perform actions
• Data (attributes): Store information

OOP Concepts

Inheritance

• Objects can derive data/functions from other objects

Polymorphism

• Objects can take on many forms

Class

• A collection of methods defining object behavior
• Acts as a template or "master" object

Instance

• An object created from a class
• Uses the class’s methods and structure

Encapsulation

• Also called Data Hiding in OOP
• Only includes necessary data for an object
• Hides irrelevant or sensitive data

Polysinstantiation

• A form of encapsulation used in databases
• Creates multiple versions of data for different classification levels
• Prevents inference attacks
• Allows same primary key across versions

Open System

• Has a published API
• Allows third-party integration

Closed System

• Proprietary
• No third-party support or access

Open Source

• Source code is viewable and distributable
• May be free or fee-based

Input Validation

• Sanitizes incoming data to ensure safety
• Must be done on the back-end
• WAFs can help protect public-facing services

Edit Controls

• Front-end routines to check input validity
• Prevents accidental errors during data entry

Bounds Checking

• A form of Input Validation
• Ensures a variable stays within a specific range
• Example: If asking for age, only allow values between 18–150

Application Attacks

Memory Buffer Overflow

• Too much data sent → memory overflow → crash or remote code execution
• Mitigation: Input Validation

Cross-Site Scripting (XSS)

• Malicious code injected into websites → runs in users' browsers
• Mitigation: Input Validation

Cross-Site Request Forgery (CSRF/XSRF)

• Session hijacking via fake requests that appear legitimate

SQL Injection (SQLi)

• Malicious SQL commands entered via input fields
• Example: '; shutdown with nowait; --
• Mitigation: Sanitize input on back-end

SQLi Clues

• Keywords: SELECT, UPDATE, DROP
• Logic tricks: 1=1;--
• Dangerous commands: shutdown with nowait;--

OWASP Top 10 – 2017

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring

OWASP Top 10 – 2021

1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable & Outdated Components
7. Identification & Authentication Failures
8. Software & Data Integrity Failures
9. Security Logging & Monitoring Failures
10. Server-Side Request Forgery (SSRF)

Virus

• Malicious code that replicates by attaching to programs/files
• Requires human interaction to spread (e.g., email, USB)

Examples of Viruses

Macro Virus

• Targets macros in productivity software (Word, Excel, etc.)

Boot Sector Virus

• Overwrites boot sector
• Loads into RAM before OS starts

Multipartite Virus

• Uses multiple infection methods
• Can infect both boot sector and files

Armored Virus

• Uses obfuscation to hide its code
• Designed to evade analysis

Retro Virus

• Attacks or disables antivirus software

Stealth Virus

• Avoids detection by hiding its presence

Companion Virus

• Adds a pointer to a host program
• Pointer runs a separate malicious file

Polymorphic / Metamorphic Virus

• Constantly changes shape
• Alters file names, locations, signatures, etc. to avoid detection

Worm

• Self-replicating malware
• Spreads via network vulnerabilities
• Doesn’t require user interaction or infected files

STUXNET

• Famous worm targeting Iranian nuclear systems

Mobile Code

• Software sent over a network
• Executes on the local system

Applets

• Mini-programs sent from server to client
• Perform specific tasks locally

Java Applets

• Java-based applets
• Run in a sandbox for isolation

ActiveX

• Microsoft’s version of applets
• Full system access (less secure than Java applets)

Hostile Applet

• Exploits system resources
• May monopolize or misuse them

Logic Bomb

• Malicious code triggered by specific time or condition
• Often inserted by insiders

Trojan Horse

• Malware hidden inside legitimate software
• User unknowingly installs it

RAT (Remote Access Trojan)

• Opens a backdoor for remote attacker access

Rootkit

• Grants admin-level access to attackers
• Hides its presence in the system

Kernel Rootkit

• Replaces critical system files
• Interferes with kernel functions

DDoS with Botnets

• Distributed attack using zombie bots
• Controlled by a master handler

Ransomware / Cryptomalware

• Encrypts or blocks access to data
• Demands ransom to restore access or prevent data leak

Cryptojacking

• Uses victim’s computing resources to mine cryptocurrency
• Done without victim’s knowledge

APT (Advanced Persistent Threat)

• Stealthy, long-term network intrusions
• Often state-sponsored
• Goal: Espionage

Fileless Malware

• Runs in RAM only, no files written to disk
• Uses existing system tools
• Hard to detect due to lack of signatures

Anti-Malware Tools

1. Signature Scanning

• Detects known threats via signatures
• Examples: Antivirus, IDS

2. Heuristic Scanning

• Detects suspicious behavior
• Useful for new/unknown malware

3. Change Detection Tools

• Monitors for unauthorized changes
• Example: Tripwire

Covert Channel

• Secret data transfer that violates security policies

Trap-Door / Back-Door

• Hidden access bypass created during development
• Also called maintenance hook

Sabotage

• Destructive act, often by insiders
• Targets systems or data

Phlashing

• Maliciously flashes BIOS with unauthorized version

Data Diddling

• Alters input data to commit fraud
• Affects databases, documents, programs

Session Hijacking

• Attacker takes over a victim’s session
• Often by stealing or guessing session-ID

Prevention Tips:

1. Use randomized IDs
2. Use high-entropy (mix of characters)
3. Use time-based tokens that expire

Race Condition

• Occurs when processes must execute in a specific order
• Failure leads to errors or delays

Memory Leak

• Program fails to release unused memory
• Causes performance issues or crashes

TOC/TOU (Time Of Check / Time Of Use)

• TOC: When system checks object state
• TOU: When system uses the object
• Delay between check and use can cause bugs

Unit Testing

• Performed by developers
• Tests individual units of code

Acceptance Testing

• Performed by customers/users
• Validates system meets requirements

Regression Testing

• Tests new and old features
• Ensures updates don’t break existing functionality

Separation of Duties

• Also called Segregation of Duties
• Prevents collusion/fraud by separating roles (e.g., coders vs. testers)

Software Assurance Maturity Model (SAMM)

• Open framework for software security strategy
• Helps with:
  • Evaluating current practices
  • Building assurance programs
  • Measuring improvements
  • Defining security activities

Source-Code Escrow

• Third-party holds source code
• Protects client if developer goes out of business

Change Management Process

Change Control Steps

1. Submit formal change request
2. Analyze request (cost, feasibility, impact, security)
3. Develop implementation strategy
4. Obtain management approval
5. Develop and document the change

Change Management Steps
6. Test the change

1. Deploy the change
2. Review and verify (roll back if needed)
3. Report results to management

Note:
A Change Management Board (CMB) ensures safety, accountability, and supports separation of duties.