Page 652 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 652

Covert Storage Channel A covert storage channel conveys
               information by writing data to a common storage area where another

               process can read it. When assessing the security of software, be
               diligent for any process that writes to any area of memory that another
               process can read.

               Both types of covert channels rely on the use of communication
               techniques to exchange information with otherwise unauthorized
               subjects. Because the covert channel is outside the normal data

               transfer environment, detecting it can be difficult. The best defense is
               to implement auditing and analyze log files for any covert channel
               activity.


               Attacks Based on Design or Coding Flaws and Security
               Issues


               Certain attacks may result from poor design techniques, questionable
               implementation practices and procedures, or poor or inadequate
               testing. Some attacks may result from deliberate design decisions
               when special points of entry built into code to circumvent access
               controls, login, or other security checks often added to code while
               under development are not removed when that code is put into

               production. For what we hope are obvious reasons, such points of
               egress are properly called back doors because they avoid security
               measures by design (they’re covered later in this chapter in
               “Maintenance Hooks and Privileged Programs”). Extensive testing and
               code review are required to uncover such covert means of access,
               which are easy to remove during final phases of development but can

               be incredibly difficult to detect during the testing and maintenance
               phases.

               Although functionality testing is commonplace for commercial code
               and applications, separate testing for security issues has been gaining
               attention and credibility only in the past few years, courtesy of widely
               publicized virus and worm attacks, SQL injection attacks, cross-site

               scripting attacks, and occasional defacements of or disruptions to
               widely used public sites online. You might benefit from viewing the
               OWASP Top 10 Web Application Security Risks report at
               https://www.owasp.org/images/7/72/OWASP_Top_10-
   647   648   649   650   651   652   653   654   655   656   657