logo

Security And Privacy - Overview

What is Security?

In the realm of software engineering, "security" is a broad and critical discipline focused on designing, building, and maintaining software that can withstand malicious attacks and protect its data and resources from unauthorized access or modification. It's not a feature to be added at the end but a fundamental aspect that must be woven into every stage of the software development lifecycle.

The CIA Triad

The core objective of software security is to ensure the confidentiality, integrity, and availability of both the software and the data it handles. This is often referred to as the CIA triad:

  • Confidentiality: This principle ensures that sensitive information is only accessible to authorized users. It's about preventing data leaks and unauthorized disclosure. Measures to ensure confidentiality include encryption and access control mechanisms.
  • Integrity: Integrity means maintaining the accuracy and trustworthiness of data. It ensures that information is not altered or deleted by unauthorized parties. If data is changed without authorization, its integrity is compromised.
  • Availability: This guarantees that the software and its data are accessible to authorized users when they need them. It's about preventing disruptions of service, such as those caused by denial-of-service (DoS) attacks.

Other Key Concepts

While the CIA triad is foundational, software security also encompasses other crucial concepts:

  • Authentication: The process of verifying a user's identity to ensure they are who they claim to be. This is often done through passwords, tokens, or biometrics.
  • Authorization: After a user is authenticated, authorization determines what specific actions they are permitted to perform and what data they can access.
  • Non-repudiation: This provides proof that a particular user performed a specific action, preventing them from later denying it.
  • Least Privilege: This principle dictates that users and components of a system should only be given the minimum levels of access—or permissions—necessary to perform their functions.
  • Audit log
  • Isolation
  • Firewall
  • Software supply chain
  • Vulerability

A Proactive Approach: The Secure Software Development Lifecycle (SSDLC)

Modern software engineering has shifted from a reactive to a proactive approach to security. Instead of waiting for vulnerabilities to be discovered after deployment, security is integrated into every phase of the development process. This methodology is known as the Secure Software Development Lifecycle (SSDLC) or DevSecOps.

The key stages of an SSDLC include:

  • Planning and Requirements: Security requirements are defined alongside functional requirements from the very beginning of a project.
  • Design: The software's architecture is designed with security in mind, incorporating threat modeling to identify potential attack vectors.
  • Development: Developers follow secure coding practices to avoid common vulnerabilities like input validation errors and buffer overflows.
  • Testing: Rigorous security testing, including penetration testing and vulnerability scanning, is conducted to identify and fix flaws.
  • Deployment: The software is deployed into a secure environment with proper configurations and access controls.
  • Maintenance: Ongoing monitoring and regular patching are essential to address new threats and vulnerabilities as they emerge.

In essence, "security" in software engineering is a comprehensive and continuous effort to build resilient systems that can be trusted to protect valuable information in an increasingly hostile digital world.

Legal vs Compliance vs Security vs Privacy

  • Legal: What can we do.
  • Compliance: What must we do.
  • Security: How can we do it.
  • Privacy: What should we do.

Be careful about special types of data

  • Accelerometer: detects acceleration by vibration, so it can be a kind of microphone to record user's voice.
  • Timestamp: if it is down to milliseconds, it may be used as a join key to link to other datasets.

Wipeout vs Takeout

  • Wipeout: all data related to the user will be removed. The right to be forgotten.
  • Takeout: all data related to the user can be downloaded. Also serves the purpose of transparency: users know what we know about them.

Regulartions / Standards

  • GDPR: General Data Protection Regulation (EU)
  • HIPAA: Health Insurance Portability and Accountability Act. (US)
  • PCI-DSS: Payment Card Industry Data Security Standard
  • CCPA: California Consumer Privacy Act, similar to GDPR.

GDPR

Data subject: the individual that information describes

6 GDPR DSRs: data subject rights

  • the right to be forgotten
  • the right to access
  • the right to portability
  • the right to restriction of processing
  • the right to rectify
  • the right to object

Methods to prove lawfulness of processing

  • contractural necessity: processing required to fulfill an agreement between a company and an individual
  • consent
  • legitimate interests

Controllers vs Processors

  • Controllers: decide how personal data will be processed. must meet obligations set forth in the GDPR
  • Processors: process data at the direction of another entity

FIPS

FIPS = Federal Information Processing Standard.

The set of standards that dictates how data should be encrypted and transmitted, which has seen several revisions over the years.

FIPS 140-3: Security Requirements for Cryptographic Modules. Issued by NIST.

NIST

NIST = National Institute of Standards and Technology.

NIST Cybersecurity Framework: a set of guidelines for mitigating organizational cybersecurity risks.

FedRAMP

https://www.fedramp.gov

FedRAMP = Federal Risk and Authorization Management Program.

Required in order to do business with US government.

FedRAMP consists of a subset of NIST Special Publication 800-53 security controls specifically selected to provide protection in cloud environments.

Marketplace:

https://marketplace.fedramp.gov/#!/products?sort=productName

Software Supply Chain Security (S3C)

  • source integrity (OSS, internal developers, vendors): no bad/malicious code
  • build integrity (code repo, CI/CD pipelines, package repo): build and delivery are tamper proof
  • runtime/dynamic checks (malware/vulnerability scanning, safe deployment): ensure prod systems are not compromised

IDS/IPS

  • IDS: Intrusion Detection Systems.
  • IPS: Intrusion Prevention Systems.

What are YARA Rules?

YARA = Yet Another Ridiculous Acronym.

YARA is a framework for large-scale pattern matching, used to identify and classify malware samples.

https://github.com/virustotal/yara

Data governance

  • moral?
  • ethical?
  • legal?
  • fair?

Security

Authn, authz, audit

Resources

YARA-L

YARA-L is inspired by YARA — invented by Google’s VirusTotal team, for malware analysis and applied to logs (hence the “L”) and other security telemetry inside the Chronicle platform.

What is CSPM?

Cloud Security Posture Management (CSPM) is a cybersecurity solution that identifies and remediates misconfigurations and security risks in cloud environments, providing automated visibility, continuous monitoring, and remediation workflows to improve security and compliance.

"Posture" refers to an organization's overall cybersecurity strength and readiness to defend against cyber threats.

What is CNAPP?

CNAPP is an end-to-end cloud-native security solution that combines key functionalities like posture management, workload protection, runtime protection, and data security.

CNAPP represents a consolidation and evolution of multiple cloud security technologies, including Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP), Cloud Infrastructure Entitlement Management (CIEM), Infrastructure as Code (IaC) scanning, and more

What is Ebury?

Ebury (Malware): the name of a sophisticated and long-standing malware family that primarily targets Linux servers. Ebury is known for being an OpenSSH backdoor and credential stealer. It is used by attackers to gain unauthorized access to compromised servers, steal sensitive information (like login credentials and cryptocurrency wallet details), and use the infected servers for malicious activities such as sending spam or redirecting web traffic. Ebury has been active for many years and has infected a significant number of servers globally.

Ebury modifies libkeyutils.so.1 (a dependecy of OpenSSH server and client binaries) on disk.

It also includes a userland rootkit to hide its presence from a compromised system when managed from SSH.

It is used to deploy additonnal malware to perform web traffic redirection, steal credit card during a transaction and send spam.

The backdoor is activated by sending specially crafted SSH client version string with hexencoded or base64 encoded data (sometimes with spaces, which are ignored).

What is a Rootkit?

A rootkit is a malware that gives attackers root-level remote access.

Kernel mode rootkits vs userland rootkits

  • Kernel mode rootkits:
    • offer the most power, such as Direct Kernel Object Manipulation (DKOM) capabilities, direct interaction with hardware devices, and the capability to perform certain privileged operations.
    • more difficult to maintain due to the rapidly changing Linux kernel.
    • How to fix: reinstall the OS from a trusted source to remove them.
  • Userland rootkits:
    • hiding processes, logging keystrokes, and snooping on network activity can all be accomplished in userland.
    • more portable.
    • How to fix: terminate the suspicious processes; restore the altered files.

What is Endpoint Security?

Endpoint security is a critical aspect of cybersecurity focused on protecting the individual devices that connect to a network. These "endpoints" serve as potential entry points for cyber threats, and securing them is essential to safeguarding an organization's data and systems.

What is contextualized container?

It refers to analyzing and securing containers not just in isolation, but by considering their relationship to the broader environment in which they are deployed. This includes:

  • The host operating system.
  • The network configuration and traffic.
  • Other containers running on the same host or in the same cluster.
  • The orchestration platform (like Kubernetes) and its configuration.
  • Associated cloud infrastructure and services.
  • Identity and access management settings.

What does "shift left" mean?

Traditionally vulnerabilities and threats are discovered by the security team, after the software is deployed.

"Shift left" means applying security best practices BEFORE deploying the software. E.g. scan container images, Docker files, Terraform, Kuberentes YAML files during software development.

Threats vs Vulnerabilities

  • Vulnerabilities: a weakness, flaw, or defect within the software itself. E.g. the ones with a CVE ID.
  • Threats: an external entity, event, or action that could exploit a vulnerability to cause harm to the software, system, or data. E.g. remote code execution, malware, crypto-mining, lateral movement, privilege escalation, container escape.

What is Domain Generation Algorithm (DGA)?

In the realm of cybersecurity, a Domain Generation Algorithm (DGA) is a technique used by malware to algorithmically generate a large number of domain names. These generated domains are typically used by the malware to communicate with its command and control (C2) servers.

Can non-executable files be malicious?

Non-executable files can also be malicious:

  • Shared libraries: Those are ELF files that are loaded by the main process. If modified, they may execute malicious code when calling one of their exported function, or when they are loaded, via a glibc constructor function, DT_INIT or DT_INIT_ARRAY.
  • Scripts: they may be loaded and run by an interpreter (Bash, Python, Perl, etc.). They don't need the execute bit set if their path is passed as argument to the interpreter.

E.g. The recent backdoor in xz was present in a shared library (liblzma.so). Userland rootkits also use shared library to get injected via LD_PRELOAD, LD_AUDIT or other mechanism.

Filesystem-based scanning

It's a much safer and often faster way to run filesystem-based vulnerability / threat scanners. You can scan the mounted filesystem without ever executing any code from the container, completely avoiding the risk of running a malicious container.

If a container is misbehaving, you can quickly mount its image to inspect the exact state of its files without having to docker exec into a running instance.