• Skip to main content
  • Skip to header right navigation
  • Skip to site footer

Shaping Software

Enduring Ideas in the Realm of Software

  • About
  • Topics
  • Best Software Engineering Books
  • Lessons in Software
  • Archives
  • JD Meier.com

Security Hot Spots

Mar 9, 2009 by JD

SecurityHotSpots 

Security Hot Spots are a lens for security.  If you know what you’re looking for, you can find it.  When you don’t know what you’re looking for, you can waste a lot of time.  The Hot Spots provide a way to find, organize and share software security knowledge.  You can use hot spots to share principles, patterns, and practices.  You can also use hot spots to share knowledge around threats, attacks, vulnerabilities, and countermeasures.

Rather than deal with a laundry list of information, use hot spots to focus your attention on key categories.  The Hot Spots are actionable and they are high ROI.  The Hot Spots helps you simplify, clarify and gain insight before you elaborate, maximize and optimize.  Before wasting a bunch of time down the wrong paths, use Security Hot Spots to help you identify and map out your best opportunities.   Another way to think of Security Hot Spots is the Pareto Principle or 80/20 rule in action.

Why Security Hot Spots
There’s several reasons for using Security Hot Spots:

  • Security Hot Spots are a way to chunk up the security space.
  • Security Hot Spots create more meaningful filters for problem domains. 
  • Security Hot Spots act as durable, evolvable backdrops to help rationalize a space.  
  • It’s a living map.  You can start with a baseline set of hot spots and add as you need to.
  • You can help deal with information overload.  You need a way to see the forest from the trees.  You can use Security Hot Spots as a heat map.
  • You can use Security Hot Spots to guide your inspections (security design inspection, security code inspection, and security deployment inspection).
  • You can use Security Hot  Spots to reduce friction.

Security Hot Spots (Application Level)
With Security Hot Spots, it’s easy to walk the categories and think of potential security problems or mistakes.  Here are some example issues, grouped by Security Hot Spots at the application level:

Hot Spots Examples
Auditing and Logging
  • User denies performing an operation.
  • Attacker exploits an application without trace.
  • Attacker covers his tracks.
Authentication
  • Network eavesdropping.
  • Brute force attacks.
  • Dictionary attacks.
  • Cookie replay attacks.
  • Credential theft.
Authorization
  • Elevation of privilege.
  • Disclosure of confidential data.
  • Data tampering.
  • Luring attacks.
configuration Management
  • Unauthorized access to administration interfaces.
  • Unauthorized access to configuration stores.
  • Retrieval of clear text configuration secrets.
  • Lack of individual accountability.
  • Over-privileged process and service accounts.
Cryptography
  • Loss of decryption keys.
  • Encryption cracking.
Exception Management
  • Revealing sensitive system or application details.
  • Denial of service attacks.
Input and Data Validation
  • Buffer overflows.
  • Cross-site scripting.
  • SQL injection.
  • Canonicalization attacks.
  • Query string manipulation.
  • Form field manipulation.
  • Cookie manipulation.
  • HTTP header manipulation.
Sensitive Data
  • Accessing sensitive data in storage.
  • Accessing sensitive data in memory (including process dumps.)
  • Network eavesdropping.
  • Information disclosure.
Session Management
  • Session hijacking.
  • Session replay.
  • Man-in-the-middle attacks.

Security Hot Spots (Code Level)
Here’s a list of potential security mistakes and issues, grouped by Security Hot Spots at the code level:

Hot Spots Examples
Authentication, Authorization and Trust
  • Comparing Classes by Name
  • Single-Factor Authentication
  • Hard-coded Passwords
Cryptography and Secrets
  • Key Exchange Without Entity Authentication
  • Failure to Add Integrity Check Value
  • Failure to Follow Chain of Trust in Certificate Validation
Language and Feature Misuse
  • Failure to Protect Class Data with Accessors
Logic Errors
  • Improper Pointer Subtraction
  • Failure to Deallocate Memory
  • Assigning Instead of Comparing
Memory
  • Null Pointer Dereference
  • Using Freed Memory
  • Doubly Freeing Memory
Range
  • Buffer Overflow
  • Stack Overflow
  • Heap Overflow
Synchronization and Timing
  • Race Condition in Time of Check, Time of Use
  • Unsafe Function Call from Signal Handler
  • Passing Mutable Objects to an Untrusted Method
Type
  • Format String
  • Truncation
  • Sign Conversion
Validation
  • Cross-site Scripting
  • Command Injection
  • Deserialization of Untrusted Data

Case Studies / Examples
Using Security Hot Spots produces results.  Here’s examples of Security Hot Spots in action:

  • Security Guides / Books.  Security Hot Spots helped frame the patterns & practices books: Building Secure ASP.NET Applications, Improving Web Application Security, Security Engineering Explained, and Improving Web Services Security.
  • Competitive Assessments.  Security Hot Spots helped frame and drive the results for competitive assessments: .NET 1.1 vs. WebSphere 5.0, OpenHack4, and Security Engineering Study.
  • Web Application Security Frame.  Security Hot Spots helped create the Web Application Security Frame, which is an organizing backdrop for Web Application Security Guidelines and Web Application Threats, Attacks, Vulnerabilities and Countermeasures.
  • Web Services Security Frame. Security Hot Spots helped create the Web Services Security Frame, which is used as an organizing backdrop for Web Services Design Guidelines and Web Services Threats, Attacks, Vulnerabilities and Countermeasures.
  • Security Engineering Methodology.   The heart of our patterns & practices Security Engineering Methodology is Security Hot Spot driven.  We focus on the high ROI activities and each activity uses Security Hot Spots to focus results.
  • Security Inspections.   Security Hot Spots help drive results for our patterns & practices Security Design Inspection, Security Code Inspection, and Security Deployment Inspection.
  • Security Checklists.  Security Hot Spots help organize the patterns & practices Security Design Checklist for Web Applications and the Security Design Checklist for Web Services.
  • Threat Modeling.  A large part of our optimization around our patterns & practices Threat Modeling is by leveraging Security Hot Spots.  We use the Security Hot Spots to help identify threats, attacks, and vulnerabilities.

Questions for Reflection
Hot spots are a powerful way for sharing information.  Here’s some questions to help you turn insight into action:

  • How can you leverage Security Hot Spots to improve security results in your organization?
  • How can you organize your bodies of knowledge using Security Hot Spots?
  • How can you improve sharing patterns and anti-patterns using Security Hot Spots?
  • How can you improve checklists using Security Hot Spots?
  • How can you tune and prune your security inspections using Security Hot Spots?

My Related Posts

  • Security Frame
  • Security Principles
  • Security Approaches that Don’t Work
Category: Architecture, Security

About JD

Previous Post:Agile Architecture Method
Next Post:Performance Hot Spots

Reader Interactions

Comments

  1. techhead

    Mar 11, 2009 at 6:24 am

    Thanks for the information! Now I’ll go and check all these spots on my server/apps.

Sidebar

Recent Posts

  • Best Software Books of All Time According to a Microsoft Exec
  • How To Effectively Pitch a Business Idea (Customer, Problem, Competition, and Success)
  • Customer-Connected Engineering at patterns & practices
  • Lessons in Software Development from Eric Brechner
  • Best Practices at patterns & practices

Popular Posts

Best Software Engineering Books
Best Practices for Project Management
Best Practices for Software Development
Customer-Connected Engineering
How To Frame Problems Better
How To Pitch Business Ideas Better
How To Structure Vision Scope Presentations
Intro to Lean Software Development
Lean Principles for Software Development
The Enterprise of the Future