Security Hot Spots

 

Security Hot Spots are a lens for security.  If you know what you’re looking for, you can find it.  When you don’t know what you’re looking for, you can waste a lot of time.  The Hot Spots provide a way to find, organize and share software security knowledge.  You can use hot spots to share principles, patterns, and practices.  You can also use hot spots to share knowledge around threats, attacks, vulnerabilities, and countermeasures.

Rather than deal with a laundry list of information, use hot spots to focus your attention on key categories.  The Hot Spots are actionable and they are high ROI.  The Hot Spots helps you simplify, clarify and gain insight before you elaborate, maximize and optimize.  Before wasting a bunch of time down the wrong paths, use Security Hot Spots to help you identify and map out your best opportunities.   Another way to think of Security Hot Spots is the Pareto Principle or 80/20 rule in action.

Why Security Hot Spots
There’s several reasons for using Security Hot Spots:

• Security Hot Spots are a way to chunk up the security space.
• Security Hot Spots create more meaningful filters for problem domains. 
• Security Hot Spots act as durable, evolvable backdrops to help rationalize a space.  
• It’s a living map.  You can start with a baseline set of hot spots and add as you need to.
• You can help deal with information overload.  You need a way to see the forest from the trees.  You can use Security Hot Spots as a heat map.
• You can use Security Hot Spots to guide your inspections (security design inspection, security code inspection, and security deployment inspection).
• You can use Security Hot  Spots to reduce friction.

Security Hot Spots (Application Level)
With Security Hot Spots, it’s easy to walk the categories and think of potential security problems or mistakes.  Here are some example issues, grouped by Security Hot Spots at the application level:

Hot Spots	Examples
Auditing and Logging	User denies performing an operation. Attacker exploits an application without trace. Attacker covers his tracks.
Authentication	Network eavesdropping. Brute force attacks. Dictionary attacks. Cookie replay attacks. Credential theft.
Authorization	Elevation of privilege. Disclosure of confidential data. Data tampering. Luring attacks.
configuration Management	Unauthorized access to administration interfaces. Unauthorized access to configuration stores. Retrieval of clear text configuration secrets. Lack of individual accountability. Over-privileged process and service accounts.
Cryptography	Loss of decryption keys. Encryption cracking.
Exception Management	Revealing sensitive system or application details. Denial of service attacks.
Input and Data Validation	Buffer overflows. Cross-site scripting. SQL injection. Canonicalization attacks. Query string manipulation. Form field manipulation. Cookie manipulation. HTTP header manipulation.
Sensitive Data	Accessing sensitive data in storage. Accessing sensitive data in memory (including process dumps.) Network eavesdropping. Information disclosure.
Session Management	Session hijacking. Session replay. Man-in-the-middle attacks.

Security Hot Spots (Code Level)
Here’s a list of potential security mistakes and issues, grouped by Security Hot Spots at the code level:

Hot Spots	Examples
Authentication, Authorization and Trust	Comparing Classes by Name Single-Factor Authentication Hard-coded Passwords
Cryptography and Secrets	Key Exchange Without Entity Authentication Failure to Add Integrity Check Value Failure to Follow Chain of Trust in Certificate Validation
Language and Feature Misuse	Failure to Protect Class Data with Accessors
Logic Errors	Improper Pointer Subtraction Failure to Deallocate Memory Assigning Instead of Comparing
Memory	Null Pointer Dereference Using Freed Memory Doubly Freeing Memory
Range	Buffer Overflow Stack Overflow Heap Overflow
Synchronization and Timing	Race Condition in Time of Check, Time of Use Unsafe Function Call from Signal Handler Passing Mutable Objects to an Untrusted Method
Type	Format String Truncation Sign Conversion
Validation	Cross-site Scripting Command Injection Deserialization of Untrusted Data

Case Studies / Examples
Using Security Hot Spots produces results.  Here’s examples of Security Hot Spots in action:

• Security Guides / Books.  Security Hot Spots helped frame the patterns & practices books: Building Secure ASP.NET Applications, Improving Web Application Security, Security Engineering Explained, and Improving Web Services Security.
• Competitive Assessments.  Security Hot Spots helped frame and drive the results for competitive assessments: .NET 1.1 vs. WebSphere 5.0, OpenHack4, and Security Engineering Study.
• Web Application Security Frame.  Security Hot Spots helped create the Web Application Security Frame, which is an organizing backdrop for Web Application Security Guidelines and Web Application Threats, Attacks, Vulnerabilities and Countermeasures.
• Web Services Security Frame. Security Hot Spots helped create the Web Services Security Frame, which is used as an organizing backdrop for Web Services Design Guidelines and Web Services Threats, Attacks, Vulnerabilities and Countermeasures.
• Security Engineering Methodology.   The heart of our patterns & practices Security Engineering Methodology is Security Hot Spot driven.  We focus on the high ROI activities and each activity uses Security Hot Spots to focus results.
• Security Inspections.   Security Hot Spots help drive results for our patterns & practices Security Design Inspection, Security Code Inspection, and Security Deployment Inspection.
• Security Checklists.  Security Hot Spots help organize the patterns & practices Security Design Checklist for Web Applications and the Security Design Checklist for Web Services.
• Threat Modeling.  A large part of our optimization around our patterns & practices Threat Modeling is by leveraging Security Hot Spots.  We use the Security Hot Spots to help identify threats, attacks, and vulnerabilities.

Questions for Reflection
Hot spots are a powerful way for sharing information.  Here’s some questions to help you turn insight into action:

• How can you leverage Security Hot Spots to improve security results in your organization?
• How can you organize your bodies of knowledge using Security Hot Spots?
• How can you improve sharing patterns and anti-patterns using Security Hot Spots?
• How can you improve checklists using Security Hot Spots?
• How can you tune and prune your security inspections using Security Hot Spots?

My Related Posts

• Security Frame
• Security Principles
• Security Approaches that Don’t Work