4.0 Application Deployment and Security

Question 1

What are two advantages of Container technology as opposed to virtural machine technology?

Answer 1

Direct access to bare-metal hardware

Optimal use of system resources

Question 2

LXC

Answer 2

Linux Containers

Question 3

What is LXC

Answer 3

LXC provides virtualization at the operating system level by allowing multiple Linux environments to run on a shared Linux kernel, where each environment has its own process and network space.

Question 4

What is DevOps?

Answer 4

a change in culture and process that emphasizes increased collaboration between teams such as software, developers, IT operations, and other services (for example, quality assurance). Though DevOps has primarily focused on development and systems, the principles solve real-world problems that network operators struggle with daily as well.

Question 5

What is Devops?

Answer 5

A change in operational approach and mindset

A cultural movement

Question 6

What are some DevOps principles?

Answer 6

Iterative
Incremental
Continuous
Automated
Self-service
Collaborative
Holistic

Question 7

What DevOps principle breaks the working process of DevOps into smaller bits. This allows tests to be included in the early stages of DevOps and helps with faster error checks?

Answer 7

Iterative

Question 8

What DevOps principle define that Projects need to be developed in small and rapid incremental cycles?

Answer 8

Incremental

Question 9

What DevOps principle Merge the development (testing) and deployment into a single improved and simpler process?

Answer 9

Continuous

Question 10

What DevOps principle Everything that can be automated should be automated? This adds speed and precision to the process.

Answer 10

Automated

Question 11

What DevOps principle Every IT engineer should have the same development environment to develop and test projects.

Answer 11

Self-service

Question 12

What DevOps principle The DevOps team needs to be united, work together, and help each other during the entire DevOps life cycle?

Answer 12

Collaborative

Question 13

What DevOps principle The DevOps process needs to be treated as a whole process, rather than just a couple of smaller tasks?

Answer 13

Holistic

Question 14

The directory where the Dockerfile is located is called what?

Answer 14

context

Question 15

What instruction must a Dockerfile begin with?

Answer 15

FROM

Question 16

What Dockerfile instruction specifies the parent image?

Answer 16

FROM

Question 17

What Dockerfile instruction is an exception and can be placed before the FROM instruction?

Answer 17

ARG - in case arguments are used in the FROM instruction

Question 18

What are the steps to building a container?

Answer 18

1. Write the Dockerfile
2. Add files to the build’s context
3. Build the image using the “docker build” command
4. Start the container with the new image.

Question 19

T/F - Convention dictates the instructions in a Dockerfile be uppercase?

Answer 19

True

Question 20

T/F Dockerfiles must start with the FROM instruction.

Answer 20

True

Question 21

T/F In a Dockerfile, # lines are comments.

Answer 21

True

Question 22

Dockerfile basic instructions - Specifies the parent (base) image to be used for the following instructions in the Dockerfile.

Answer 22

FROM

Question 23

Dockerfile basic instructions - Used to copy files or directories from the build’s context into the container. The destination can be an absolute or a relative path in the container file system. Relative paths are relative to the working directory.

Answer 23

COPY

Question 24

Dockerfile basic instructions - Creates a new environment variable or sets a value of an existing variable inside the container. There are two possible ways of defining the environment variables, with or without the “=” sign. By using “=”, multiple variables can be set in the same instruction.

Answer 24

ENV

Question 25

Dockerfile basic instructions - Used to run a single or multiple commands in a shell in the container.

Answer 25

RUN

Question 26

Dockerfile basic instructions - Creates a mounting point for persisting data that is consumed by the Docker containers. Volumes are managed by Docker and do not get deleted when the container stops running.

Answer 26

VOLUME

Question 27

Dockerfile basic instructions - Exposes a TCP or UDP port on which the application running in the container is accessible. The instruction serves more as a documentation for the one running the container to correctly publish the ports to the outside network when running the container.

Answer 27

EXPOSE

Question 28

OWASP

Answer 28

Open Web Application Security Project

Question 29

XSS

Answer 29

Cross-site scripting

Question 30

What is cross site scripting?

Answer 30

when an attacker executes malicious scripts in the web browser of a victim. It exploits known vulnerabilities in web applications, web application servers, and its plug-in systems. The attacker injects malicious code, mostly JavaScript, into a legitimate web page or application. When the victim visits the compromised web page, the script is executed. Because it comes from a trusted source, the web browser does not check the content for malicious scripts. This way, the attacker gains access privileges to cookies, delicate content, and other session information operated by the web browser from the user. The most common XSS attacks occur on web pages that grant user comments and web forums.

Question 31

How do you prevent XSS attacks?

Answer 31

it is important that the HTTP TRACE is turned off on a web application server in order to deny all untrusted data into the web page HTML document and escape (HTML, JavaScript, cascading style sheet [CSS]) tags, and sanitize any of the user input.

Question 32

SQL

Answer 32

Structured Query Language

Question 33

(3) Types of SQL Injection attacks

Answer 33

In-band SQL injection
Inferential or blind SQL injection
Out-of-band SQL injection

Question 34

How do you protect against SQL injection attacks?

Answer 34

Sanitize any input data that you get from the user.

Use prepared statements and not dynamic SQL.

Specify the output data so that you do not leak any sensitive data that is not supposed to be seen.

Question 35

CSRF

Answer 35

Cross-site request forgery

Question 36

What is a CSRF

Answer 36

when an attacker forces a victim to issue undesirable actions on the victim-authenticated web application.

Question 37

How do you prevent CSRF?

Answer 37

Prevention of a CSRF attack can be done with antiforgery tokens. You need to introduce a unique and secret token with every HTTP response. The antiforgery tokens are usually random numbers that are stored inside a cookie and stored on a web server. With every HTTP request, the tokens are validated from the server, and if the tokens match on both the cookie and the server, the request is accepted.

Question 38

SSRF

Answer 38

Server-side request forgery

Question 39

What is a SSRF?

Answer 39

allow the attacker to send a forged request from a web server on the behalf of the attacker. In this type of attack, the targets usually are internal systems behind some firewalls. The web application request sometimes retrieves external information from a third-party resource (such as updates), and the attacker can modify or control such requests.

Question 40

How do you prevent SSRF?

Answer 40

you need to use a whitelist of allowed domains and protocols from which the server can retrieve external resources.