CSS321_IP4

docx

School

Colorado Technical University *

*We aren’t endorsed by this school

Course

321

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

16

Uploaded by EarlKoalaPerson755

Report
CSS321-2304B-01, Software Assurance Individual Project – Week 4
Table of Contents Unit 1 – Project Outline ............................................................................................................................... 3 Company Description .............................................................................................................................. 3 Applications Provided .............................................................................................................................. 3 Software Development Methods ............................................................................................................. 3 Unit 1 – Security in the Development Life Cycle .......................................................................................... 5 Software Development Lifecycle .............................................................................................................. 5 Security Development Lifecycle ............................................................................................................... 5 Unit 2 – Software Assurance Techniques ..................................................................................................... 7 Analysis .................................................................................................................................................... 7 Guidelines ................................................................................................................................................ 8 Unit 3 – Security in Nontraditional Development Models ......................................................................... 10 Nontraditional Development Model ...................................................................................................... 10 Major Steps in Rapid Application Development .................................................................................... 10 Security Risks ......................................................................................................................................... 11 Unit 4– Security Static Analysis .................................................................................................................. 12 Application Design ................................................................................................................................. 12 Sample Vulnerability Code ..................................................................................................................... 12 Security Analysis Tools ........................................................................................................................... 13 Unit 5– Software Assurance Policies and Processes .................................................................................. 15 TBD ........................................................................................................................................................ 15 References ................................................................................................................................................. 16
Unit 1 – Project Outline Company Description Amazon Web Services, a subsidiary of Amazon, holds 34% of the current market when it comes to cloud computing. AWS was launch 17 years ago in 2006, and the team that designed it was called S3. S3 had a huge challenge Infront of them and had to design a service that would provide storage for developers. They had a goal in mind that one they simply put as, “The system should be made as simple as possible (but no simpler)." What they landed on was a completely new system that used "objects," "buckets," and "keys" to offer secure internet storage that developers could use and afford at $0.15 per gigabyte of storage per month (the price for what is now called S3 Standard storage has since dropped to about $0.02 per gig per month)[ CITATION Ama21 \l 1033 ]. Applications Provided When it comes to cloud computing AWS offers over 200 fully featured services to customers globally. Some of the top AWS services include Amazon EC2, Amazon RDS, Amazon S3, Amazon Lambda, and Amazon Cognito[ CITATION Tra23 \l 1033 ]. The services offer things from virtualization, database servers, to backup storage servers. AWS even offers a service called Amazon Workforce, where users can login to a virtual environment and collaborate on a project, or even work on their own projects not just from an APP on their desktop, but also from their phone, or even by simply logging into a website to gain access. Software Development Methods AWS loves decomposition, automation, and organizing developments around what customers want when they are developing software. They focus on a DevSecOps methodology, DevSecOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes[ CITATION Sta \l 1033 ]. This also allows them to combine certain teams that normally worked separate and speed up the process to deliver quality software.
Unit 1 – Security in the Development Life Cycle Software Development Lifecycle AWS uses the methodology of DevSecOps when it comes to SDLC, and they do it in a unique way. AWS and Amazon implement something called the “Two-Pizza Team”. The reason they do this is because small teams have minimized bureaucracy and maximized time to focus on innovating for customers, which in turn raises employee satisfaction, mitigate the Ringelmann Effect (the tendency for individual productivity to decrease in larger groups), allows teams to run fast, experiment early and frequently, and apply learnings rapidly to constantly drive value to their customers, helps lower the costs of failure – your learnings come quicker and at lower stakes than you may have otherwise faced at later stages of development[ CITATION Sta23 \l 1033 ]. These small teams are not just the developers, they are also the operators of the front-end equipment, and the team also handles security issues during and after the development of a service. Another great concept to these teams is that they have what Amazon calls single-threaded ownership, which the teams are only focused on that one service and nothing else. This is great for customers because if a problem arises and customer support can’t handle it, you as the customer know that when the ticket gets pushed higher someone who developed the service is going to figure the solution. Security Development Lifecycle With AWS using a DevSecOps methodology, security is integrated during the software development lifecycle. The Two-Pizza Teams that AWS forms handle the initial risk assessment when planning a project, and they are the ones who figure out fixes as vulnerabilities arise from customers or testing. Teams are held accountable when it comes to security. At Amazon if a security vulnerability is found or the team is made aware of it the CISO and CEO need to be made aware of it as soon as possible as well.
AWS allow makes the teams follow principles and tenants with security issues. They are ownership, insist on the highest standards, dive deep, and stay simple. With ownership the team is the owner of the product, and it is their responsibility to fix the security issue. Insist on the highest standards is that the leaders of the teams hold their teams to the highest standard and don’t let poor quality products be released. Dive deep is where the teams need to dive to the deepest part of service to locate and fix vulnerabilities, and to make sure the service is free from other vulnerabilities. Stay simple is a way for Amazon to have teams write not simple code but use code that is needed to make the service a success. AWS integrates security into development by a three-pillar system. They are policy, process, and tools. With policies these are given to teams to give them the guidelines to follow as they develop the service. These include security polices, security training, data encryption standards, PII and CII handling standards, and compliance requirements[ CITATION Col19 \l 1033 ]. Security processes include security reviews, penetration testing, and formal verification. Security reviews are started from the early stages in development and periodically after that. Throughout the lifecycle penetration testing is done to locate any possible vulnerabilities there may be. Formal verification is something that is done by an Automated Reasoning Group, and they verify the code for any possible errors that may need to be fixed. The final pillar is tools and AWS offers many tools to developers to help with security. Thes include toolkits with already provide things like TLS/SSL, Access Management, AWS Config, and others.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Unit 2 – Software Assurance Techniques Analysis The great thing about AWS is that they offer so many applications that not only service small home networks but can handle enterprise level needs. One of these applications is Amazon Aurora which is a relational database service that combines the speed and availability of high-end commercial databases with the simplicity and cost-effectiveness of open-source databases. Aurora is fully compatible with MySQL and PostgreSQL, allowing existing applications and tools to run without requiring modification[ CITATION AWS23 \l 1033 ]. One risk you can run into while using this application is SQL injection. To mitigate this from happening developers using this to create databases should use prepared statements and stay away from dynamic queries. Another risk that threatens this database is unnecessary access privileges. To fix this the developer of the database needs to set privileges according to each user and what they are allowed to do in the database. This can also mitigate from an attacker gaining access from a user who should have read only privileges. Amazon Workspaces is a great application AWS offers. It can be accessed in many ways from an application on your desktop to even an application on your mobile device. It is a virtual desktop that supports Windows, Linux, and Ubuntu. Risks that can cause security issues with this can be from the end user like unsecure internet connections, or even virus and malware attacks. If a user connects to a to the virtual desktop from an untrusted access point it can allow an attacker access into that virtual environment and wreak havoc. Companies can mitigate this by supplying a VPN or requiring the user to install a trusted VPN to secure their connection. If the user is accessing an email client from within the virtual environment and they open or click a malicious email, they can cause that application to become corrupt. The company should have a separate email client accessed outside Amazon Workspace, and
security training should be held periodically to show what signs employees should be looking for in malicious emails. Amazon Elastic Compute Cloud (Amazon EC2) offers the broadest and deepest compute platform, with over 700 instances and choice of the latest processor, storage, networking, operating system, and purchase model to help you best match the needs of your workload[ CITATION AWS231 \l 1033 ]. This application gives you all the basics to start running on a cloud based virtual environment. This application faces security risks like unsecured network connection and unauthorized access. With any application where the user is accessing an environment from outside the companies network there is the risk of them using an unsecure network and can allow attackers access to implement deeper attacks. This can be mitigated by using a trusted VPN that the company supplies or that the user is required to download. Unauthorized access can come from a user leaving the computer with the application still signed in or it could even be low security on sign processes. To fix this companies should instill multi-authentication principles and configure the application to time out and sign out after a certain amount of idle time. Guidelines With AWS using many different development teams for their products and giving them ownership over said product taking pride in security is a must. Attacks can come at any time and attackers look for the smallest weakness to take advantage of. So, when developing a product these guidelines should be taken into consideration: o Training: Developers should receive training on a scheduled basis not just on security and what threats to look out for, but also on good software development techniques. o Conduct Regular Security Checks: Leads of development teams should conduct random checks on vulnerabilities in the software code itself and any vulnerabilities that may be on the network.
If the environment is a container and no outside access should be allowed, then periodic Penetration Testing should be performed for an outside source. o Secure Coding: Being that software is use by our customers to store or even create data, the software’s code should be written with prepared statements. The code should also be check before moving to the next stage of development for vulnerabilities and if they are found fix immediately. o Post release: issues found after the release of the software should be handled in a timely manner. If the issues involve security, fix to the known vulnerability or vulnerabilities should be found and released to the customers as soon as possible.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Unit 3 – Security in Nontraditional Development Models Nontraditional Development Model For AWS the nontraditional development model that would work great for them is Rapid Application Development (RAD). Rapid application development (RAD) is a methodology that focuses on - as the name indicates - developing rapidly through frequent iterations and continuous feedback. As the demand for new software and features skyrockets in our modern tech era, RAD has become an increasingly popular development method in business globally[ CITATION Chr20 \l 1033 ]. RAD is like agile in a lot of ways. AWS already uses agile in their development cycle so integrating RAD wouldn’t be too hard. RAD works well with teams of small sizes and AWS sets the development teams in small groups who have take charge of the whole process to develop their product. Major Steps in Rapid Application Development RAD has 4 which are define project requirements, prototype, rapid construction, and feedback, and finalize product. During define project requirements the projects goals and budget are set, and the customers vision is also heard. These requirements are not set in stone, they can be changed at anytime during the development cycle if needed. Once the team gets the requirements taken care of, the prototypes can be built. Multiple prototypes are built so tat during the next step they can best tested and get feedback on which one fits the customers needs the best. Rapid construction is where application coding, system testing, and unit integration occurs, converting prototype and beta systems into a working model. This phase may also be repeated as required, supporting new components and alterations. Generally, teams use low-code or rapid application development tools to quickly progress the application[ CITATION Chr20 \l 1033 ]. Through this step developers can find problems with the product before it is fully released to the public. During the final phase the software is finished and released to the customers.
Security Risks RAD can bring some security risks if the developers try to speed through and put speed over security in the development cycle. Some issues can be quality of code, security monitoring for the customer, and third-party security issues. When it comes to quality of code RAD can be low to no -code type of development and this can cause developers to use third parties for their code. This ties into third-party security issues. AWS needs to have their development teams look at both code they are writing and code they may use from a third-party for vulnerabilities. AWS should also require their teams to only use trusted third parties for code, and if the code they need is from a source not on the trusted list it needs to be thoroughly checked first before given the approval to use. Now when it comes to monitoring for security this is a risk to customers using a poorly designed product. If the product isn’t designed so that the user or the users company can detect unwanted access, then attackers could use a product without the user even knowing. This is a big deal for SaaS products. AWS should require developers to program in a monitoring system to alert users if unusual processes are running. They can do this with SaaS by alerting if there are multiple users accessing the same virtualized environment.
Unit 4– Security Static Analysis Application Design The application design for a product AWS uses is Amazon WorkSpaces. This product offers users a fully managed virtual desktop. A user can use existing network and equipment without having to spend anymore money on new infrastructure to deploy this virtual environment. It can be accessed from an icon on your desktop, a mobile application, or even though their web browser. A business could also use this product to setup a desktop and share it with the whole company or make separate desktop configurations depending on what its intended use is. [ CITATION AWS232 \l 1033 ] Sample Vulnerability Code The code bellow shows an example of a remote code execution vulnerability. WorkSpaces registers a custom URI when the desktop application is installed on a windows machine. When handling the URI, WorkSpaces fails to sanitize the parameters, which are then passed to the command line when authenticating access to WorkSpaces. The way the code is written an attacker can execute arbitrary commands, they could also gain access to Workspaces by using a valid registration code and the adding “-gpu-luancher” argument in the URI, specifying a command that CEF will execute[ CITATION Ion21 \l
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
1033 ]. An attacker can also use this vulnerability to can access to the host by configuring proxy settings, or even by keylogging usernames or passwords. The example bellow shows how the URI doesn’t sanitize various parameters and they can be seen such as username, Regcode, and host. [ CITATION Dav23 \l 1033 ] Security Analysis Tools Three security Analysis Tools that I found are Veracode SAST, Checkmarx SAST, and InsightAppSec. Veracode SAST is a tool that can be run automatically as code is being written and can alert when vulnerability arise throughout development. Checkmarx SAST is another tool that can be ran
in the background and alert when vulnerabilities appear, it can also give you suggestions to correct the vulnerability. InsightAppSec scans applications or web applications for vulnerabilities, this tool would be useful for end users to make sure the remote code execution vulnerability is not still a risk when using WorkSpaces.
Unit 5– Software Assurance Policies and Processes TBD
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
References Arghire, I. (2021, September 22). VULNERABILITIESRemote Code Execution Vulnerability Found in AWS WorkSpaces . Retrieved from Security Week: https://www.securityweek.com/remote-code- execution-vulnerability-found-aws-workspaces/ Chien, C. (2020, February 04). What is Rapid Application Development (RAD)? Retrieved from CodeBots: https://codebots.com/app-development/what-is-rapid-application-development-rad House, T. (2023). Top 25 AWS Services List 2023 . Retrieved from All Services: https://allcode.com/top- aws-services/ MacCarthaigh, C. (2019, December 10). Amazon's approach to security during development . Retrieved from YouTube: https://www.youtube.com/watch?v=NeR7FhHqDGQ Staff. (2023, October 6). High-performing organization - the Amazon Two Pizza Team . Retrieved from AWS Executive Insights: https://aws.amazon.com/executive-insights/content/amazon-two-pizza- team/ Staff. (n.d.). What is DevOps? Retrieved from Amazon Web Services (AWS): https://aws.amazon.com/devops/what-is-devops/ Staff, A. (2021, March 17). The deceptively simple origins of AWS . Retrieved from About Amazon: https://www.aboutamazon.com/news/aws/the-deceptively-simple-origins-of-aws Staff, A. (2023, October 19). Amazon Aurora Features . Retrieved from AWS: https://aws.amazon.com/rds/aurora/features/ Staff, A. (2023, October 19). Amazon EC2 . Retrieved from AWS: https://aws.amazon.com/ec2/ Staff, A. (2023, October 28). Amazon WorkSpaces . Retrieved from AWS: https://aws.amazon.com/workspaces/all-inclusive/ Yesland, D. (2023, October 28). CVE-2021-38112: . Retrieved from Rhino Security Labs: https://rhinosecuritylabs.com/aws/cve-2021-38112-aws-workspaces-rce/

Related Documents

PREPARE POULTRY DISHES SERVICE PLANNING TEMPLATE.docx
IP5_RaymondMartinez.docx
Assignment 6- Steve’s Bikes Online Ordering - HK.docx
IP4_RaymondMartinez.docx
IP1_RaymondMartinez2.docx
CSS321_IP5.docx
CSS321_IP1.docx
CSS321_IP2.docx
CSS321_IP3.docx
Unknown-3.pdf
Unknown-2.pdf
Interview Questions.docx