6 Application Security Flashcards

1
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a standardized software development life cycle?

A

A process that moves software through development, test, staging, and production environments.

It ensures that secure software development concepts are followed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the issues associated with code reuse?

A

Potential vulnerabilities and security risks that arise from using existing code in new applications.

Understanding these issues is crucial for secure software development.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What principles should web applications align with?

A

Industry-standard principles such as those developed by OWASP.

OWASP stands for Open Worldwide Application Security Project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are some common application vulnerabilities?

A

Memory injection, buffer overflow, race condition attacks, SQL injection (SQLi), and cross-site scripting (XSS).

Familiarity with these vulnerabilities helps in building defenses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the purpose of input validation in application security?

A

To protect code from malicious input that could lead to vulnerabilities.

It is a fundamental practice in secure coding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How should cookies for session management be secured?

A

Through the use of transport encryption.

This helps protect user sessions from interception.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does code signing provide to end users?

A

Assurance that code came from a trusted source.

It enhances the integrity and authenticity of software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is sandboxing in application security?

A

Testing code in an isolated environment to prevent potential harm to the main system.

It allows for safe experimentation and vulnerability testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the main benefits of automation in secure operations?

A

Efficiency, time-saving, enforcing baselines, standardizing configurations, scaling securely, retaining employees, lowering reaction times, and serving as a workforce multiplier.

These benefits enhance overall operational security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the main drawbacks of automation?

A

Complexity, cost, single point of failure, technical debt, and ongoing supportability issues.

Understanding these drawbacks is essential for effective implementation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are common use cases of automation and scripting in cybersecurity?

A

User and resource provisioning, creating guard rails, managing security groups, ticket management, enabling/disabling services, continuous integration/testing, and using APIs.

These use cases improve security efficiency and management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the Software Development Life Cycle (SDLC)?

A

The SDLC describes the steps in a model for software development throughout its life, mapping from idea to requirements, design, coding, testing, and rollout.

The SDLC also includes user training, maintenance, and decommissioning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the common phases in most SDLC models?

A
  • Planning
  • Requirements Definition
  • Design
  • Coding
  • Testing
  • Training and Transition
  • Operations and Maintenance
  • Decommissioning

These phases may vary in order or approach, such as linear or iterative.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What occurs during the planning phase of the SDLC?

A

Initial investigations into the feasibility of the effort, alternative solutions, and high-level costs are conducted, resulting in a recommendation.

This phase is crucial for deciding whether to move forward with a project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the purpose of the requirements definition phase?

A

To gather customer input on desired functionality, current system capabilities, and desired improvements, often ranking requirements by importance.

Security requirements are a key part of this analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does the design phase include?

A

Design for functionality, architecture, integration points, dataflows, and business processes.

This phase is critical for ensuring the application meets specified requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What happens during the coding phase?

A

The actual coding of the application occurs, which may include unit testing of small components.

Some testing may occur here, but formal testing is conducted later.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the focus of the testing phase?

A

Formal testing of integrated software components to ensure proper functionality, including user acceptance testing (UAT).

This phase is essential for validating the software meets user needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the purpose of the training and transition phase?

A

To ensure end users are trained on the software and that it has entered general use.

This phase may also be referred to as acceptance, installation, and deployment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What occurs during the operations and maintenance phase?

A

Includes patching, updating, and minor modifications for ongoing support of the application.

This is usually the longest phase in the SDLC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the decommissioning phase in the SDLC?

A

Occurs when a product or system reaches the end of its life, involving shutting down old products and preserving or disposing of data.

This phase is often overlooked but is important for cost savings and proper data management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the common environments used in software development?

A
  • Development Environment
  • Test Environment
  • Staging Environment
  • Production Environment

Each environment serves a specific purpose in the software development lifecycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the role of the production environment?

A

It is the live system where software changes that have been tested and approved are deployed.

Proper change management processes are typically followed to ensure accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What is DevOps?
A model that combines software development and IT operations to optimize the SDLC using toolchains. ## Footnote DevOps aims to improve processes through automation and collaboration.
26
What does DevSecOps add to the DevOps model?
It integrates security into the DevOps model, making security a shared responsibility throughout the development and operations cycle. ## Footnote This ensures security is considered at every stage of application development.
27
What is continuous integration (CI)?
A development practice that checks code into a shared repository on an ongoing basis, enabling automation in the build process. ## Footnote CI aims to facilitate continuous delivery of code.
28
What is the relationship between continuous integration and continuous deployment (CD)?
CI involves ongoing code check-ins and automated builds, while CD automatically rolls out tested changes into production after validation. ## Footnote Together, they streamline software delivery processes.
29
What must be built into the CI/CD pipeline to ensure security?
Continuous validation and automated security testing must be integrated into the pipeline testing process. ## Footnote This helps prevent vulnerabilities from being deployed.
30
What is the first opportunity for security professionals to help with software security?
In the requirements gathering and design phases ## Footnote Security can be built in as part of the requirements and designed based on those requirements.
31
What techniques can improve the quality and security of the code during development?
Secure coding techniques, code review, and testing ## Footnote These practices enhance the overall security of the developed software.
32
What tools can be used during the testing phase to assess software security?
Web application security scanners and penetration testing techniques ## Footnote These tools help identify vulnerabilities in fully integrated software.
33
What is one of the best resources for secure coding practices?
Open Worldwide Application Security Project (OWASP) ## Footnote OWASP provides standards, guides, best practices, and tools for developers and security practitioners.
34
What is the purpose of OWASP's top proactive controls?
To provide a set of useful best practices for application security ## Footnote It also helps track how web application security threats evolve over time.
35
What does the proactive control 'Define Security Requirements' involve?
Implementing security throughout the development process ## Footnote This ensures security is considered at every stage of development.
36
Fill in the blank: 'Leverage Security Frameworks and Libraries' means utilizing _______.
Preexisting security capabilities ## Footnote This makes securing applications easier.
37
What is a key practice for securing database access?
Prebuild SQL queries to prevent injection ## Footnote Proper configuration of databases for secure access is also important.
38
What should be done to user input to ensure security?
Treat it as untrusted and filter appropriately ## Footnote This helps prevent various types of attacks, including injection attacks.
39
What does 'Implement Digital Identity' involve?
Using multifactor authentication, secure password storage, and session handling ## Footnote This enhances the security of user identities.
40
What is the principle of least privilege in access controls?
Apply the principle of least privilege ## Footnote Deny all requests by default and require access control checks.
41
How should sensitive data be handled during error management?
Errors should not provide sensitive data ## Footnote Applications should be tested to ensure they handle problems gracefully.
42
What are APIs?
Interfaces between clients and servers or applications and operating systems ## Footnote They define how the client requests information and how the server responds.
43
What are key components of API security?
Authentication, authorization, proper data scoping, rate limiting, input filtering, monitoring and logging ## Footnote These measures help secure APIs from vulnerabilities.
44
What does OWASP's API Security Project provide?
A breakdown of API security techniques ## Footnote It offers guidance on how to secure APIs effectively.
45
True or False: Security professionals are often asked to write scripts or programs that can access APIs.
True ## Footnote This is common in security-related tasks to pull data from APIs.
46
What percentage of applications scanned by Veracode in 2023 exhibited at least one security issue?
74 percent
47
What is the purpose of software security testing?
To identify flaws in the code of applications.
48
What are the two main types of code analysis mentioned?
Static code analysis and dynamic code analysis
49
What does static code analysis focus on?
Understanding how the program is written and what the code is intended to do
50
True or False: Static code analysis executes the program.
False
51
What is fuzz testing also known as?
Fuzzing
52
What does dynamic code analysis rely on?
Execution of the code while providing it with input
53
What are the advantages of automated tools in software security testing?
They provide an easier way to verify that code is more secure and handle large volumes of tests
54
Fill in the blank: Fuzz testing involves sending _______ to an application to test its handling of unexpected data.
invalid or random data
55
What does regression testing ensure after code changes are made?
That the fixes didn't create new security issues
56
What is the main limitation of fuzzing?
It tends to only identify simple problems and may not provide complete code coverage
57
What type of problems can static code analysis help identify?
Programming and syntax errors, internal business logic problems
58
What is the preferred method for conducting dynamic code analysis?
Automated testing
59
What does fuzzing help detect in applications?
Input validation issues, logic issues, memory leaks, error handling
60
What is manual static code analysis sometimes referred to as?
Code understanding
61
True or False: Dynamic testing provides specific remediation suggestions.
False
62
What does Veracode provide annually regarding software security?
A yearly review of the state of software security
63
What is the main goal of analyzing and testing code?
To understand what the code does, how it performs tasks, and where flaws may occur
64
Fill in the blank: Static code analysis can be conducted using _______ tools or manually.
automated
65
What are injection vulnerabilities?
Injection vulnerabilities are primary mechanisms that attackers use to break through a web application and gain access to the systems supporting that application.
66
What is a SQL injection attack?
A SQL injection attack involves supplying malicious SQL code to a web application to manipulate database queries.
67
What might a typical SQL query for a search function look like?
SELECT ItemName, ItemDescription, ItemPrice FROM Products WHERE ItemName LIKE '%searchTerm%'
68
In a SQL injection attack, what might an attacker input to retrieve customer data?
orange tiger pillow'; SELECT CustomerName, CreditCardNumber FROM Orders; --
69
What is blind SQL injection?
Blind SQL injection is a technique used when attackers cannot see the results of their queries directly.
70
What is a content-based blind SQL injection attack?
A content-based blind SQL injection attack tests whether the application interprets injected code by manipulating input.
71
How can an attacker test for SQL injection vulnerability using a specific input?
By entering '52019' OR 1=1;-- in an input field.
72
What is the outcome of the query: SELECT FirstName, LastName, Balance FROM Accounts WHERE AccountNumber = '52019' OR 1=1?
It matches all results in the Accounts table.
73
What does the input '52019' AND 1=2;-- accomplish in SQL injection?
It results in a query that never returns any results.
74
What is a timing-based SQL injection attack?
A timing-based SQL injection attack uses the time it takes to process a query to infer information about the database.
75
What command can be used in a timing-based SQL injection to introduce a delay?
WAITFOR DELAY '00:00:15'
76
What is the purpose of using a timing-based attack to discover a password?
To check each character of the password one by one by introducing delays.
77
What are code injection attacks?
Code injection attacks seek to insert attacker-written code into legitimate code created by a web application developer.
78
Give an example of another type of injection attack besides SQL injection.
* LDAP injection * XML injection * DLL injection
79
What is cross-site scripting (XSS)?
Cross-site scripting is a code injection attack that inserts HTML code written by an attacker into web pages created by a developer.
80
What is a command injection attack?
A command injection attack allows an attacker to execute commands on the operating system via a web application.
81
How might an attacker exploit a web application that creates directories?
By inputting 'mchapple & rm -rf /home' to execute system commands.
82
What is the risk of an application using system() calls?
It can allow attackers to manipulate the operating system if input is not properly validated.
83
What is the primary purpose of authentication mechanisms in applications?
To confirm the identity of users and devices and verify authorization for specific actions.
84
Why are passwords considered a weak form of authentication?
They are easily defeated due to being a knowledge-based authentication technique.
85
Name one method attackers use to discover a user's password.
Conducting social engineering attacks.
86
What is credential brute-forcing?
An exhaustive search to crack weakly hashed passwords obtained from a target system.
87
What are common default username/password combinations that attackers test?
* administrator/password * admin/password * admin/admin
88
What is the difference between credential-stealing attacks and session hijacking attacks?
Credential-stealing attacks authenticate using a stolen account; session hijacking takes over an already authenticated session.
89
How do most websites manage user sessions?
Using cookies managed in the user's browser.
90
What does a cookie contain in the context of session authentication?
An authentication string that ties the cookie to a particular user session.
91
True or False: Cookies are similar to physical badges used for authentication at events.
True
92
How can an attacker steal a cookie?
By eavesdropping on unencrypted network connections.
93
What is cookie manipulation in the context of session attacks?
Altering the details sent back to the website or using the cookie to gain access.
94
What is a session replay attack?
Using a stolen cookie to impersonate a user to a website.
95
What is the purpose of marking cookies with the SECURE attribute?
To ensure cookies are only transmitted over encrypted channels.
96
What is the NTLM pass-the-hash attack?
An attack where stored NTLM password hashes are used to gain access to systems.
97
What is an unvalidated redirect in web applications?
Allowing redirection to any URL, which can be exploited by attackers.
98
How can developers protect against unvalidated redirects?
By performing validated redirects against an approved list of URLs.
99
Fill in the blank: An attacker might use an unvalidated redirect to redirect a user to a _____ site.
malicious
100
What is a common issue in application development regardless of the chosen framework or language?
The same security problems continue to appear in applications all the time.
101
Why are comments in source code important?
They provide documentation of design choices, explain workflows, and offer details crucial to other developers.
102
What risk do comments in code pose to security?
They can provide attackers with a roadmap explaining how code works, potentially revealing critical security details.
103
What should developers do with comments in production versions of the code?
Remove comments from production versions before deployment.
104
How can attackers exploit errors in code?
By creating unexpected situations that test the boundaries of the code.
105
What is a defense-in-depth approach in cybersecurity?
It involves implementing multiple layers of security controls to protect against threats.
106
What is the risk of overly verbose error handling routines?
They may expose too much information about the code's inner workings, aiding attackers.
107
What is a backdoor vulnerability?
A hard-coded maintenance account that allows bypassing normal authentication.
108
What is the consequence of hard-coding credentials in source code?
If disclosed, those credentials can be used by outsiders to gain unauthorized access.
109
What does package monitoring involve?
Keeping track of all third-party libraries, understanding their functions, and updating them to secure versions.
110
What is resource exhaustion?
When a system consumes all available memory, storage, or processing time, rendering it disabled.
111
What is a memory leak?
When an application fails to return memory to the operating system that it no longer needs.
112
What issue arises from dereferencing a null pointer?
It causes a null pointer exception, potentially providing an attacker with debugging information.
113
What is a buffer overflow attack?
When an attacker manipulates a program to place more data into memory than allocated.
114
What is memory injection in the context of buffer overflow attacks?
The maliciously inserting of information into memory to overwrite other data.
115
What are the three important terms related to race conditions?
* Time-of-Check (TOC) * Time-of-Use (TOU) * Target of Evaluation (TOE)
116
What is a Time-of-Check-to-Time-of-Use (TOCTTOU) issue?
Occurs when a program checks access permissions too far ahead of a resource request.
117
What can unprotected APIs lead to?
Unauthorized use of functions and potential modification of services.
118
What should be used to secure APIs not intended for public use?
An authentication mechanism, such as an API key, accessed over encrypted channels.
119
What is the primary purpose of standardizing tasks in cybersecurity?
To identify opportunities for automation
120
What are the two key characteristics of processes suitable for automation?
Repeatable and do not require human interaction
121
What does SOAR stand for?
Security Orchestration, Automation, and Response
122
How can SOAR platforms improve an organization's use of threat intelligence?
By enriching data about ongoing incidents with information about emerging threats
123
Name three scripting languages commonly used in cybersecurity automation.
* Python * Bash * PowerShell
124
Fill in the blank: Automated scripts can handle the process of ______ access to systems and networks.
user provisioning
125
What is one use case for automation in resource management?
Automating the allocation and deallocation of system resources
126
True or False: Automation can prevent violations of security protocols.
True
127
What benefit does automation provide regarding reaction time to security incidents?
Reduces reaction time
128
List two benefits of automation and scripting in cybersecurity.
* Enhancing operational efficiency * Reducing reaction time
129
What is a potential challenge of implementing automation?
Complexity in development and management of automation scripts
130
What is a single point of failure in the context of automation?
Over-reliance on automation that could impact operations if a script malfunctions
131
Fill in the blank: Ongoing supportability of scripts requires dedicated ______.
resources
132
What can be a consequence of outdated automated scripts?
Technical debt
133
How does automation act as a workforce multiplier?
By handling repetitive tasks, increasing team capacity
134
What can automation ensure regarding security baselines?
Consistent application across systems and networks
135
What is one way automation improves employee satisfaction?
By automating mundane tasks
136
Fill in the blank: Automation can streamline the ______ process in IT operations.
ticketing
137
What integral role does software play in organizations?
Performs tasks ranging from financial transactions to the management of sensitive physical infrastructure components.
138
What must cybersecurity professionals ensure about the software used in their environment?
Undergoes rigorous testing to determine if it meets business requirements and does not expose the organization to cybersecurity risks.
139
What is necessary to achieve software security goals?
A strong understanding of different types of vulnerabilities.
140
What types of applications are mentioned in relation to vulnerabilities?
Client-server and web applications.
141
What are the main focuses of the chapter?
Vulnerabilities in source code and tools used to manage software security risks.
142
Cybersecurity professionals must test software to ensure it does not expose the organization to _______.
[serious cybersecurity risks]
143
True or False: The chapter discusses the importance of understanding software vulnerabilities.
True