1
00:00:00,590 --> 00:00:02,700
<v ->Design vulnerabilities.</v>

2
00:00:02,700 --> 00:00:04,410
In this lesson, we're going to talk about

3
00:00:04,410 --> 00:00:06,780
some software design vulnerabilities and what

4
00:00:06,780 --> 00:00:08,910
are some things you can do to overcome them.

5
00:00:08,910 --> 00:00:10,550
Now, when it comes to vulnerabilities,

6
00:00:10,550 --> 00:00:13,320
vulnerabilities often arise from the general design

7
00:00:13,320 --> 00:00:14,570
of your software code.

8
00:00:14,570 --> 00:00:17,270
And so, if you do bad software code design,

9
00:00:17,270 --> 00:00:19,320
you're going to have a lot more vulnerabilities.

10
00:00:19,320 --> 00:00:22,610
So, in this lesson, we're going to focus on three main types.

11
00:00:22,610 --> 00:00:24,440
We have insecure components,

12
00:00:24,440 --> 00:00:26,290
insufficient logging and monitoring,

13
00:00:26,290 --> 00:00:28,650
and weak or default configurations.

14
00:00:28,650 --> 00:00:30,610
Now, when we talk about insecure components,

15
00:00:30,610 --> 00:00:31,450
what is this?

16
00:00:31,450 --> 00:00:34,240
Well, it's really any code that's used or invoked outside

17
00:00:34,240 --> 00:00:36,530
of the main program development process.

18
00:00:36,530 --> 00:00:38,610
So, when you're dealing with this and you start dealing

19
00:00:38,610 --> 00:00:39,900
with insecure components,

20
00:00:39,900 --> 00:00:42,230
this can come from a lot of different areas.

21
00:00:42,230 --> 00:00:44,750
For instance, it could come from code reuse.

22
00:00:44,750 --> 00:00:46,470
Now, this is where you take one block of code

23
00:00:46,470 --> 00:00:48,640
from somewhere else in the program, just copy and paste it

24
00:00:48,640 --> 00:00:50,930
and use it again, or you take it from one application

25
00:00:50,930 --> 00:00:52,640
and put it into another application.

26
00:00:52,640 --> 00:00:54,730
A lot of times, people go on to stack exchange

27
00:00:54,730 --> 00:00:56,330
and they'll go and copy people's code

28
00:00:56,330 --> 00:00:57,730
and put it into their own.

29
00:00:57,730 --> 00:00:59,660
Now, there's nothing wrong with doing that initially,

30
00:00:59,660 --> 00:01:02,410
but if you're reusing code and you don't know if it's secure

31
00:01:02,410 --> 00:01:04,350
or not, you could be bringing in vulnerabilities

32
00:01:04,350 --> 00:01:05,950
into your program by doing that.

33
00:01:05,950 --> 00:01:08,660
And so, this is why we consider it an insecure component.

34
00:01:08,660 --> 00:01:11,560
Another thing we might use is a third-party library.

35
00:01:11,560 --> 00:01:14,050
Anytime you bring in a library to do some function for you,

36
00:01:14,050 --> 00:01:16,670
you are importing that code into your program.

37
00:01:16,670 --> 00:01:19,420
And so, you might bring in a dynamic link library in Windows

38
00:01:19,420 --> 00:01:21,160
or a shared object library in Linux,

39
00:01:21,160 --> 00:01:22,620
and that might give you the ability

40
00:01:22,620 --> 00:01:25,130
to do network connections or do cryptography.

41
00:01:25,130 --> 00:01:27,030
But if those things were not secure,

42
00:01:27,030 --> 00:01:29,940
you now brought that insecurity into your program.

43
00:01:29,940 --> 00:01:32,470
And the third thing is software development toolkits.

44
00:01:32,470 --> 00:01:35,070
Again, SDKs are really helpful as a programmer

45
00:01:35,070 --> 00:01:36,810
because I don't have to go and create all

46
00:01:36,810 --> 00:01:38,340
those prebuilt functions.

47
00:01:38,340 --> 00:01:40,510
But if the person who built those prebuilt functions,

48
00:01:40,510 --> 00:01:41,760
didn't do a good job,

49
00:01:41,760 --> 00:01:43,850
you're bringing in those vulnerabilities as well.

50
00:01:43,850 --> 00:01:46,060
And the other issue with these three areas is especially

51
00:01:46,060 --> 00:01:48,230
with SDKs and third party libraries,

52
00:01:48,230 --> 00:01:50,650
is sometimes they built it thinking it was good.

53
00:01:50,650 --> 00:01:53,320
And then six months later, there's a vulnerability to it.

54
00:01:53,320 --> 00:01:55,280
If you're using an old version of a library

55
00:01:55,280 --> 00:01:57,150
or an old version of an SDK,

56
00:01:57,150 --> 00:01:59,530
you aren't using the latest and greatest patched one,

57
00:01:59,530 --> 00:02:01,860
and therefore, you're missing those security fixes,

58
00:02:01,860 --> 00:02:04,890
and you're bringing in those insecurities into your program.

59
00:02:04,890 --> 00:02:06,450
The second area we want to talk about

60
00:02:06,450 --> 00:02:08,550
is insufficient logging and monitoring.

61
00:02:08,550 --> 00:02:11,050
Now, this is any program that does not properly record

62
00:02:11,050 --> 00:02:13,760
or log detailed enough information for an analyst

63
00:02:13,760 --> 00:02:16,600
to perform their job when there's an incident that happens.

64
00:02:16,600 --> 00:02:19,340
So, if I create a program and I don't have any kind

65
00:02:19,340 --> 00:02:21,190
of logging and monitoring, well,

66
00:02:21,190 --> 00:02:22,900
that's not going to be very good for my analysts

67
00:02:22,900 --> 00:02:24,610
who have to deal with the instant response later.

68
00:02:24,610 --> 00:02:27,090
So, we want to make sure we're always setting up our logging

69
00:02:27,090 --> 00:02:29,072
and our monitoring to support our use case,

70
00:02:29,072 --> 00:02:32,230
and that way, we can answer the who, the what, the when,

71
00:02:32,230 --> 00:02:35,310
the where, and the how, when things go wrong.

72
00:02:35,310 --> 00:02:36,840
Now, what is your use case?

73
00:02:36,840 --> 00:02:39,050
Well, that's up to you and your organization.

74
00:02:39,050 --> 00:02:41,140
You're going to determine how much logging you want,

75
00:02:41,140 --> 00:02:43,930
how long you want to store it for, and all those details,

76
00:02:43,930 --> 00:02:46,780
like we talked about back in our logging lessons.

77
00:02:46,780 --> 00:02:48,040
The third area we want to talk about

78
00:02:48,040 --> 00:02:50,270
is weak or default configurations.

79
00:02:50,270 --> 00:02:52,900
Now, this is any program that uses ineffective credentials

80
00:02:52,900 --> 00:02:55,230
or configurations or one in which the defaults

81
00:02:55,230 --> 00:02:57,430
have not been changed for security.

82
00:02:57,430 --> 00:03:00,000
When you're dealing with weak or default configurations,

83
00:03:00,000 --> 00:03:02,380
there are lots of these things out there in the marketplace,

84
00:03:02,380 --> 00:03:05,590
and they are running amok, in a lot of people's networks.

85
00:03:05,590 --> 00:03:08,050
Now, many applications choose simply to run

86
00:03:08,050 --> 00:03:11,280
as root or local admin, that's their default configuration.

87
00:03:11,280 --> 00:03:12,240
You need to ask yourself,

88
00:03:12,240 --> 00:03:14,130
does this program really need to be root?

89
00:03:14,130 --> 00:03:16,290
Does this program really need to be an admin?

90
00:03:16,290 --> 00:03:18,140
And if not, don't let it run that way

91
00:03:18,140 --> 00:03:20,700
because you want to use least privileges.

92
00:03:20,700 --> 00:03:22,690
Also, sometimes you have some of these programs

93
00:03:22,690 --> 00:03:24,980
and by default, their permissions are really vague,

94
00:03:24,980 --> 00:03:26,450
they're really permissive.

95
00:03:26,450 --> 00:03:28,960
And so, they allow a lot of files and directories to be read

96
00:03:28,960 --> 00:03:30,450
and write and execute it too,

97
00:03:30,450 --> 00:03:32,970
and this would be a weak configuration.

98
00:03:32,970 --> 00:03:34,660
Another place I see this all the time

99
00:03:34,660 --> 00:03:36,540
is when we're using hardware appliances

100
00:03:36,540 --> 00:03:38,710
or using some kind of software that has a password

101
00:03:38,710 --> 00:03:40,050
and username already built in,

102
00:03:40,050 --> 00:03:42,290
and it's often something like administrator administrator,

103
00:03:42,290 --> 00:03:44,690
or admin admin, or root root.

104
00:03:44,690 --> 00:03:46,800
This is a weak or default configuration

105
00:03:46,800 --> 00:03:48,420
that should be changed immediately once

106
00:03:48,420 --> 00:03:50,110
you install it into the environment.

107
00:03:50,110 --> 00:03:51,990
Now, what's the best practice to prevent some of

108
00:03:51,990 --> 00:03:52,960
these weaknesses?

109
00:03:52,960 --> 00:03:55,585
Well, the biggest one is to utilize scripted installations

110
00:03:55,585 --> 00:03:57,780
and baseline configuration templates

111
00:03:57,780 --> 00:04:00,110
to secure your applications during install.

112
00:04:00,110 --> 00:04:02,450
So, if I'm going to install some program,

113
00:04:02,450 --> 00:04:04,410
there should be a security configuration template

114
00:04:04,410 --> 00:04:06,660
or a scripted installation that actually goes through

115
00:04:06,660 --> 00:04:08,740
and makes those things more secure.

116
00:04:08,740 --> 00:04:10,960
This would be something that your organization does itself

117
00:04:10,960 --> 00:04:13,060
or something provided by the manufacturer.