Security Hot Spots



Security Hot Spots are a lens for security.  If you know what you’re looking for, you can find it.  When you don’t know what you’re looking for, you can waste a lot of time.  The Hot Spots provide a way to find, organize and share software security knowledge.  You can use hot spots to share principles, patterns, and practices.  You can also use hot spots to share knowledge around threats, attacks, vulnerabilities, and countermeasures.

Rather than deal with a laundry list of information, use hot spots to focus your attention on key categories.  The Hot Spots are actionable and they are high ROI.  The Hot Spots helps you simplify, clarify and gain insight before you elaborate, maximize and optimize.  Before wasting a bunch of time down the wrong paths, use Security Hot Spots to help you identify and map out your best opportunities.   Another way to think of Security Hot Spots is the Pareto Principle or 80/20 rule in action.

Why Security Hot Spots
There’s several reasons for using Security Hot Spots:

  • Security Hot Spots are a way to chunk up the security space.
  • Security Hot Spots create more meaningful filters for problem domains. 
  • Security Hot Spots act as durable, evolvable backdrops to help rationalize a space.  
  • It’s a living map.  You can start with a baseline set of hot spots and add as you need to.
  • You can help deal with information overload.  You need a way to see the forest from the trees.  You can use Security Hot Spots as a heat map.
  • You can use Security Hot Spots to guide your inspections (security design inspection, security code inspection, and security deployment inspection).
  • You can use Security Hot  Spots to reduce friction.

Security Hot Spots (Application Level)
With Security Hot Spots, it’s easy to walk the categories and think of potential security problems or mistakes.  Here are some example issues, grouped by Security Hot Spots at the application level:

Hot Spots Examples
Auditing and Logging
  • User denies performing an operation.
  • Attacker exploits an application without trace.
  • Attacker covers his tracks.
  • Network eavesdropping.
  • Brute force attacks.
  • Dictionary attacks.
  • Cookie replay attacks.
  • Credential theft.
  • Elevation of privilege.
  • Disclosure of confidential data.
  • Data tampering.
  • Luring attacks.
configuration Management
  • Unauthorized access to administration interfaces.
  • Unauthorized access to configuration stores.
  • Retrieval of clear text configuration secrets.
  • Lack of individual accountability.
  • Over-privileged process and service accounts.
  • Loss of decryption keys.
  • Encryption cracking.
Exception Management
  • Revealing sensitive system or application details.
  • Denial of service attacks.
Input and Data Validation
  • Buffer overflows.
  • Cross-site scripting.
  • SQL injection.
  • Canonicalization attacks.
  • Query string manipulation.
  • Form field manipulation.
  • Cookie manipulation.
  • HTTP header manipulation.
Sensitive Data
  • Accessing sensitive data in storage.
  • Accessing sensitive data in memory (including process dumps.)
  • Network eavesdropping.
  • Information disclosure.
Session Management
  • Session hijacking.
  • Session replay.
  • Man-in-the-middle attacks.

Security Hot Spots (Code Level)
Here’s a list of potential security mistakes and issues, grouped by Security Hot Spots at the code level:

Hot Spots Examples
Authentication, Authorization and Trust
  • Comparing Classes by Name
  • Single-Factor Authentication
  • Hard-coded Passwords
Cryptography and Secrets
  • Key Exchange Without Entity Authentication
  • Failure to Add Integrity Check Value
  • Failure to Follow Chain of Trust in Certificate Validation
Language and Feature Misuse
  • Failure to Protect Class Data with Accessors
Logic Errors
  • Improper Pointer Subtraction
  • Failure to Deallocate Memory
  • Assigning Instead of Comparing
  • Null Pointer Dereference
  • Using Freed Memory
  • Doubly Freeing Memory
  • Buffer Overflow
  • Stack Overflow
  • Heap Overflow
Synchronization and Timing
  • Race Condition in Time of Check, Time of Use
  • Unsafe Function Call from Signal Handler
  • Passing Mutable Objects to an Untrusted Method
  • Format String
  • Truncation
  • Sign Conversion
  • Cross-site Scripting
  • Command Injection
  • Deserialization of Untrusted Data

Case Studies / Examples
Using Security Hot Spots produces results.  Here’s examples of Security Hot Spots in action:

Questions for Reflection
Hot spots are a powerful way for sharing information.  Here’s some questions to help you turn insight into action:

  • How can you leverage Security Hot Spots to improve security results in your organization?
  • How can you organize your bodies of knowledge using Security Hot Spots?
  • How can you improve sharing patterns and anti-patterns using Security Hot Spots?
  • How can you improve checklists using Security Hot Spots?
  • How can you tune and prune your security inspections using Security Hot Spots?

My Related Posts


Comments are closed.