Sensitive data should be removed

from storage areas before another

subject accesses it Object reuse

Processes should de-allocate

committed storage Garbage Collection Application Threats

Trap/Backdoors
Buffer Overflow
Covert Channels

Goal is to enforce an organizations

security policy and procedures in the
maintenance of CIA
Involves input to the system, the data being
Motivation and Study Techniques to help Cisco
processed, and the output from the system you learn, remember, and pass your
CISSP
Data Checks technical exams!
CEH
Custom screens Preventative
More coming soon...
Validity checks Application Controls
CRCs Visit us www.mindcert.com
Detective
Controls can be classed as Application Controls
Hash's

Backups
Corrective
Control reports
Produce a quality product that meets users needs
Goals
Surrogate program performs services Stay within budget and time schedule
on behalf of another Agent This is the phase where the programmers
and developers get down to business of
Acts on behalf of principal but may
producing the product
hide the principal proxy
Good understanding of the needs of security will help the
Small apps developers reduce the likelihood of buffer overflow and covert
Applets Distributed System channel vulnerabilities in the final product
Downloaded from the web Components
Assumes each step can be completed
Run in constrained space without any effect from the later
Interpreted Java stages of the development
Simple Model
Multi platform Assumes any reworking will not affect previous work

Establishes trust between client and Recognizes a need for developers to

server with digital certificates modify early stages
Active X
Developers are limited to going back
one stage to rework
Define the concepts Project Initiation Large development teams to stop
parallel reworking
Define the requirements Not usually the case in the real world
Functional Design analysis and planning Waterfall Model Assumes a stage will finish at a specific time
Formal design
Ending phase tied to a milestone
Functional design review Models
Design specifications Verification Evaluates product against spec
Detail planning
1976, rework to have all phases end
Lifecycle with a milestone and back references Waterfall model with Verification and Validation
Software development System life-cycle phases Validation Ensures real world requirement
System Development
Install
Installation Goes round in a spiral
Test and audit
Develop Plans
Continual product changes and fixes Maintenance Spiral Model Define objectives
Replace product with a new one Prototype and identify risk
Disposal
Final Development
Joint Analysis Development Model (JAD)
Hierarchical Rapid Application Development (RAD)
Mesh
Types Personnel away from the developers
OO should test the software Keeps testing objective
Relational
Unit testing should be addresses when
Row in a relational model Tuple modules designed
Request Control The requirement for change
A column in a data model Attribute
Software maintenance manage the change
Data in a cell Element
Software Development Three phases Change Control
and Change Controls document everything
Describes the database structure Schema manage the upgrade
Release Control
Identifier that is unique to the record Candidate Key
Used to manage evolving changes to Track Versions
software products
Field that links all the data in a row Primary key Issues new products
Should conform to BS 7799
Attribute of one table that is the Jargon
primary key of another table Configuration item Component to be changed
Foreign Key

Used as a security mechanism Version Recorded state of the Configuration item

Virtual relationship to display specifics
View
Configuration Management Configuration Collection of component configuration
Also called an element Intersection of a row and column
Cell Definitions
Building Subtopic
Central repository for meta data and
data relationships Data Dictionary
CISSP Subtopic
Build List
Application and
The number of rows in a relationship Cardinality Systems Develop‐ Software Library Subtopic

Select
Improved quality
Project Benefits of a formal
Reduced life-cycle time
software process
union Primitives More accurate scheduling and meeting of
Difference milestones
product Chaotic
Initiating
Join Level 1 quality is unpredictable
Relational Operations
Intersection
PM exists
Divide Repeatable
Level 2 No formal method
Controls database access Non-Primitives
Defined from Join, project, and select Quality of the finished product is a
Important operation component of the quality of the Defined Formal processes in place
View Five Levels Level 3
Appears as a virtual table with settings Software Capability development process
that the user can view
Maturity Model (CMM)
Product improvement
Ensures that attributes in a table rely Managing
Level 4 Process improvement
only on the primary key
Eliminates repeating groups Continuous process improvement
Eliminates redundant data Data Normalization Level 5
Optimizing
Bugetized
Eliminates attributes not dependent on the primary
key
Database concepts
Select
Update
and security issues Potentially capable of being
Delete
more reliable and reduces the
possible propagation of program
insert SQL change errors
Access Privileges Grant These tell the system how to make objects, the
process of creating an object using the
Access Privileges Revoke directions in a class is called "instantiation"
Classes

Security is provided in relational Called methods

databases through views Objects contain procedures
Items Data called attributes
Virtual relation that combines Objects
information from other relations happen, but cannot see
Often called black box functions
The DBMS can be compromised by
circumventing the normal security controls Objects perform work by sending
Act of obtaining information of higher Messages messages to other objects
sensitivity by combining information
from lower levels of sensitivity Aggregation Data hiding
Encapsulation

Is ability of users to infer or deduce Different objects can react to identical

info about data at sensitivity levels for messages in different ways
A link is called an inference channel Polymorphism
which they do not have access OOP Concepts
Inference OO Systems
Security Issues Allows an object to be copied and
Put data into strict containers and Polyinstantiation populated with different data
limit access control Fundamental Characteristics
Containers
Inheritance Subclasses inherit settings
Using a view control to hide specific cells Cell suppression All predefined types are objects
Implement a view partition scheme All user defined types are objects
Anti Aggregation and Inference measures
insert bogus information in the database All operations are performed by
Noise sending messages to objects

A record of a higher level of security Common Object Request Broker

holds different data to the same Architecture (CORBA)
record of a lower one Distributed Systems
Polyinstantiation Distributed Component Object Model (DCOM)

Repository of heterogeneous databases that is Made available to users over a network

available for users to make queries ORBs are middle-ware
Object Request Brokers (ORB)
Data is normalized Establishes a client server relationship
Redundant data is removed Data Warehouse between objects

Can be applied to audit logs to find

system anomalies
Objective is to find relationships that were
unknown up until now in the warehouse Data Mining Data Warehousing
Data about Data Metadata

Metadata is not stored in the

warehouse but in the Data mart Data Mart

Database system for developers

Data Dictionary
Stores all data structures used by an application