安全軟體開發生命週期 (SSDLC)

SDLC and Security

The main phases of a software development life cycle are shown here with some specific security tasks.

Requirements gathering: (需求取得階段)

1. Security risk assessmen
2. Privacy risk assessment
3. Risk-level acceptance
4. Informational, functional, and behavioral requirements

軟體需求分析時應進行安全的評估，軟體的機密等級要求，例如涉及國家機密、營業秘密、金融交易、個人隱私資料等，應將軟體列為機密等級"高"，如涉及組織內部使用但不可公開之型態機密等級可列為"中"，一般可公開之型態機密等級可列為"普"。其次是完整性評估，資系統或資料若被竄改之影響性等級，而可用性評估，則是應考量系統若中斷服務的影響等級；此機密性、完整性、可用性均應評估其安全等級。

隱私安全評估，應考量各國有關個人隱私權的法令，如本國的個資保護法、歐盟的GDPR，同樣的也可區分為隱私要求為"高"，隱私要求為"中"，隱私要求為"普"

當經過風險評估後應決定該系統之風險等級，不同等級將區分出不同的開發規定，包含資料是否需要加密、遮罩，存取控制，操作行為模式等要求，以上這些都是需求分析時必須評估並做為設計階段的輸入項目。

Design:(設計階段)

1. Attack surface analysis
2. Threat modeling

攻擊分析主要在於識別如何減少系統被攻擊的因子

• 程式碼(Code)的數量不宜過量
• 減少程式人口(Entry points)，並限制未經授權的連線
• 最小權限原則
• 無須使用的通訊服務不應開放

威脅建模流程分為 6 個步驟︰ 

• 識別資產：識別出哪些才是系統必須保護的重要資產。 
• 建立架構概觀：利用簡單的圖表來記錄應用程式的整體架構，包含子系統、信任邊界和資料流。 
• 分解應用程式：將應用程式進行架構分解，包含基礎網路和基礎架構設計，目的在於為應用程式建立一個安全配置文件。這份文件的目的就是在應用程式設計、實 作及部署時能夠發現弱點。
• 識別威脅：留意攻擊者的目標以及應用程式的潛在漏洞，找出可能影響應用程式的威脅。 
• 記錄威脅：將識別出的威脅使用威脅的屬性定義和一般常見的威脅樣板記錄下來。 
• 評估威脅：評估所面臨的威脅，針對嚴重程度進行排序，並且優先處理優先權最高的。

Development:(開發階段)

1. Automated CASE tools
2. Static analysis

軟體開發時，應避免產生脆弱點導致系統之漏洞，CWE組織針對常見的軟體錯誤提出分析報告，如下表所示

Rank	Score	ID	Name
[1]	93.8	CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
[2]	83.3	CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
[3]	79.0	CWE-120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[4]	77.7	CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
[5]	76.9	CWE-306	Missing Authentication for Critical Function
[6]	76.8	CWE-862	Missing Authorization
[7]	75.0	CWE-798	Use of Hard-coded Credentials
[8]	75.0	CWE-311	Missing Encryption of Sensitive Data
[9]	74.0	CWE-434	Unrestricted Upload of File with Dangerous Type
[10]	73.8	CWE-807	Reliance on Untrusted Inputs in a Security Decision
[11]	73.1	CWE-250	Execution with Unnecessary Privileges
[12]	70.1	CWE-352	Cross-Site Request Forgery (CSRF)
[13]	69.3	CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
[14]	68.5	CWE-494	Download of Code Without Integrity Check
[15]	67.8	CWE-863	Incorrect Authorization
[16]	66.0	CWE-829	Inclusion of Functionality from Untrusted Control Sphere
[17]	65.5	CWE-732	Incorrect Permission Assignment for Critical Resource
[18]	64.6	CWE-676	Use of Potentially Dangerous Function
[19]	64.1	CWE-327	Use of a Broken or Risky Cryptographic Algorithm
[20]	62.4	CWE-131	Incorrect Calculation of Buffer Size
[21]	61.5	CWE-307	Improper Restriction of Excessive Authentication Attempts
[22]	61.1	CWE-601	URL Redirection to Untrusted Site ('Open Redirect')
[23]	61.0	CWE-134	Uncontrolled Format String
[24]	60.3	CWE-190	Integer Overflow or Wraparound
[25]	59.9	CWE-759	Use of a One-Way Hash without a Salt

Top 25 Most Dangerous Software Errors

網頁類型的系統是目前的主流，且曝露於網際網路高風險環境中，因此Open Web Application Security Project 組織，定義出重要的網路應用系統10大安全風險，如下表所示

A1:2017-Injection	Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization
A2:2017-Broken Authentication	Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
A3:2017- Sensitive Data Exposure	Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly  rotected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
A4:2017-XML External Entities (XXE)	Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
A5:2017-Broken Access Control	Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
A6:2017-Security Misconfiguration	Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion.
A7:2017- Cross-Site Scripting (XSS)	XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
A9:2017-Using Components with Known Vulnerabilities	Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
A10:2017- Insufficient Logging & Monitoring	Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

OWASP Top 10

Testing/validation:(測試階段)

1. Dynamic analysis
2. Fuzzing
3. Manual testing
4. Unit, integration, acceptance, and regression testing

軟體開發完成後進入測試階段，除了功能性測試外，亦須安全性測試，安全測試主要以弱點檢測、原碼檢測、滲透測試三類為主，經過安全性檢測後以達到系統安全狀態。

https://pentestmag.com/

Release/maintenance:(發佈上線階段)

1. Final security review

上線前應檢視相關文件，如系統規格文件、系統操作說明、功能與安全測試報告、上線程序等，後續維護方式等。