4.0 Application Deployment and Security Flashcards
What are two advantages of Container technology as opposed to virtural machine technology?
Direct access to bare-metal hardware
Optimal use of system resources
LXC
Linux Containers
What is LXC
LXC provides virtualization at the operating system level by allowing multiple Linux environments to run on a shared Linux kernel, where each environment has its own process and network space.
What is DevOps?
a change in culture and process that emphasizes increased collaboration between teams such as software, developers, IT operations, and other services (for example, quality assurance). Though DevOps has primarily focused on development and systems, the principles solve real-world problems that network operators struggle with daily as well.
What is Devops?
A change in operational approach and mindset
A cultural movement
What are some DevOps principles?
Iterative Incremental Continuous Automated Self-service Collaborative Holistic
What DevOps principle breaks the working process of DevOps into smaller bits. This allows tests to be included in the early stages of DevOps and helps with faster error checks?
Iterative
What DevOps principle define that Projects need to be developed in small and rapid incremental cycles?
Incremental
What DevOps principle Merge the development (testing) and deployment into a single improved and simpler process?
Continuous
What DevOps principle Everything that can be automated should be automated? This adds speed and precision to the process.
Automated
What DevOps principle Every IT engineer should have the same development environment to develop and test projects.
Self-service
What DevOps principle The DevOps team needs to be united, work together, and help each other during the entire DevOps life cycle?
Collaborative
What DevOps principle The DevOps process needs to be treated as a whole process, rather than just a couple of smaller tasks?
Holistic
The directory where the Dockerfile is located is called what?
context
What instruction must a Dockerfile begin with?
FROM
What Dockerfile instruction specifies the parent image?
FROM
What Dockerfile instruction is an exception and can be placed before the FROM instruction?
ARG - in case arguments are used in the FROM instruction
What are the steps to building a container?
- Write the Dockerfile
- Add files to the build’s context
- Build the image using the “docker build” command
- Start the container with the new image.
T/F - Convention dictates the instructions in a Dockerfile be uppercase?
True
T/F Dockerfiles must start with the FROM instruction.
True
T/F In a Dockerfile, # lines are comments.
True
Dockerfile basic instructions - Specifies the parent (base) image to be used for the following instructions in the Dockerfile.
FROM
Dockerfile basic instructions - Used to copy files or directories from the build’s context into the container. The destination can be an absolute or a relative path in the container file system. Relative paths are relative to the working directory.
COPY
Dockerfile basic instructions - Creates a new environment variable or sets a value of an existing variable inside the container. There are two possible ways of defining the environment variables, with or without the “=” sign. By using “=”, multiple variables can be set in the same instruction.
ENV
Dockerfile basic instructions - Used to run a single or multiple commands in a shell in the container.
RUN
Dockerfile basic instructions - Creates a mounting point for persisting data that is consumed by the Docker containers. Volumes are managed by Docker and do not get deleted when the container stops running.
VOLUME
Dockerfile basic instructions - Exposes a TCP or UDP port on which the application running in the container is accessible. The instruction serves more as a documentation for the one running the container to correctly publish the ports to the outside network when running the container.
EXPOSE
OWASP
Open Web Application Security Project
XSS
Cross-site scripting
What is cross site scripting?
when an attacker executes malicious scripts in the web browser of a victim. It exploits known vulnerabilities in web applications, web application servers, and its plug-in systems. The attacker injects malicious code, mostly JavaScript, into a legitimate web page or application. When the victim visits the compromised web page, the script is executed. Because it comes from a trusted source, the web browser does not check the content for malicious scripts. This way, the attacker gains access privileges to cookies, delicate content, and other session information operated by the web browser from the user. The most common XSS attacks occur on web pages that grant user comments and web forums.
How do you prevent XSS attacks?
it is important that the HTTP TRACE is turned off on a web application server in order to deny all untrusted data into the web page HTML document and escape (HTML, JavaScript, cascading style sheet [CSS]) tags, and sanitize any of the user input.
SQL
Structured Query Language
(3) Types of SQL Injection attacks
In-band SQL injection
Inferential or blind SQL injection
Out-of-band SQL injection
How do you protect against SQL injection attacks?
Sanitize any input data that you get from the user.
Use prepared statements and not dynamic SQL.
Specify the output data so that you do not leak any sensitive data that is not supposed to be seen.
CSRF
Cross-site request forgery
What is a CSRF
when an attacker forces a victim to issue undesirable actions on the victim-authenticated web application.
How do you prevent CSRF?
Prevention of a CSRF attack can be done with antiforgery tokens. You need to introduce a unique and secret token with every HTTP response. The antiforgery tokens are usually random numbers that are stored inside a cookie and stored on a web server. With every HTTP request, the tokens are validated from the server, and if the tokens match on both the cookie and the server, the request is accepted.
SSRF
Server-side request forgery
What is a SSRF?
allow the attacker to send a forged request from a web server on the behalf of the attacker. In this type of attack, the targets usually are internal systems behind some firewalls. The web application request sometimes retrieves external information from a third-party resource (such as updates), and the attacker can modify or control such requests.
How do you prevent SSRF?
you need to use a whitelist of allowed domains and protocols from which the server can retrieve external resources.
