6 Application Security Flashcards
What is a standardized software development life cycle?
A process that moves software through development, test, staging, and production environments.
It ensures that secure software development concepts are followed.
What are the issues associated with code reuse?
Potential vulnerabilities and security risks that arise from using existing code in new applications.
Understanding these issues is crucial for secure software development.
What principles should web applications align with?
Industry-standard principles such as those developed by OWASP.
OWASP stands for Open Worldwide Application Security Project.
What are some common application vulnerabilities?
Memory injection, buffer overflow, race condition attacks, SQL injection (SQLi), and cross-site scripting (XSS).
Familiarity with these vulnerabilities helps in building defenses.
What is the purpose of input validation in application security?
To protect code from malicious input that could lead to vulnerabilities.
It is a fundamental practice in secure coding.
How should cookies for session management be secured?
Through the use of transport encryption.
This helps protect user sessions from interception.
What does code signing provide to end users?
Assurance that code came from a trusted source.
It enhances the integrity and authenticity of software.
What is sandboxing in application security?
Testing code in an isolated environment to prevent potential harm to the main system.
It allows for safe experimentation and vulnerability testing.
What are the main benefits of automation in secure operations?
Efficiency, time-saving, enforcing baselines, standardizing configurations, scaling securely, retaining employees, lowering reaction times, and serving as a workforce multiplier.
These benefits enhance overall operational security.
What are the main drawbacks of automation?
Complexity, cost, single point of failure, technical debt, and ongoing supportability issues.
Understanding these drawbacks is essential for effective implementation.
What are common use cases of automation and scripting in cybersecurity?
User and resource provisioning, creating guard rails, managing security groups, ticket management, enabling/disabling services, continuous integration/testing, and using APIs.
These use cases improve security efficiency and management.
What is the Software Development Life Cycle (SDLC)?
The SDLC describes the steps in a model for software development throughout its life, mapping from idea to requirements, design, coding, testing, and rollout.
The SDLC also includes user training, maintenance, and decommissioning.
What are the common phases in most SDLC models?
- Planning
- Requirements Definition
- Design
- Coding
- Testing
- Training and Transition
- Operations and Maintenance
- Decommissioning
These phases may vary in order or approach, such as linear or iterative.
What occurs during the planning phase of the SDLC?
Initial investigations into the feasibility of the effort, alternative solutions, and high-level costs are conducted, resulting in a recommendation.
This phase is crucial for deciding whether to move forward with a project.
What is the purpose of the requirements definition phase?
To gather customer input on desired functionality, current system capabilities, and desired improvements, often ranking requirements by importance.
Security requirements are a key part of this analysis.
What does the design phase include?
Design for functionality, architecture, integration points, dataflows, and business processes.
This phase is critical for ensuring the application meets specified requirements.
What happens during the coding phase?
The actual coding of the application occurs, which may include unit testing of small components.
Some testing may occur here, but formal testing is conducted later.
What is the focus of the testing phase?
Formal testing of integrated software components to ensure proper functionality, including user acceptance testing (UAT).
This phase is essential for validating the software meets user needs.
What is the purpose of the training and transition phase?
To ensure end users are trained on the software and that it has entered general use.
This phase may also be referred to as acceptance, installation, and deployment.
What occurs during the operations and maintenance phase?
Includes patching, updating, and minor modifications for ongoing support of the application.
This is usually the longest phase in the SDLC.
What is the decommissioning phase in the SDLC?
Occurs when a product or system reaches the end of its life, involving shutting down old products and preserving or disposing of data.
This phase is often overlooked but is important for cost savings and proper data management.
What are the common environments used in software development?
- Development Environment
- Test Environment
- Staging Environment
- Production Environment
Each environment serves a specific purpose in the software development lifecycle.
What is the role of the production environment?
It is the live system where software changes that have been tested and approved are deployed.
Proper change management processes are typically followed to ensure accountability.
What is DevOps?
A model that combines software development and IT operations to optimize the SDLC using toolchains.
DevOps aims to improve processes through automation and collaboration.
What does DevSecOps add to the DevOps model?
It integrates security into the DevOps model, making security a shared responsibility throughout the development and operations cycle.
This ensures security is considered at every stage of application development.
What is continuous integration (CI)?
A development practice that checks code into a shared repository on an ongoing basis, enabling automation in the build process.
CI aims to facilitate continuous delivery of code.
What is the relationship between continuous integration and continuous deployment (CD)?
CI involves ongoing code check-ins and automated builds, while CD automatically rolls out tested changes into production after validation.
Together, they streamline software delivery processes.
What must be built into the CI/CD pipeline to ensure security?
Continuous validation and automated security testing must be integrated into the pipeline testing process.
This helps prevent vulnerabilities from being deployed.
What is the first opportunity for security professionals to help with software security?
In the requirements gathering and design phases
Security can be built in as part of the requirements and designed based on those requirements.
What techniques can improve the quality and security of the code during development?
Secure coding techniques, code review, and testing
These practices enhance the overall security of the developed software.
What tools can be used during the testing phase to assess software security?
Web application security scanners and penetration testing techniques
These tools help identify vulnerabilities in fully integrated software.
What is one of the best resources for secure coding practices?
Open Worldwide Application Security Project (OWASP)
OWASP provides standards, guides, best practices, and tools for developers and security practitioners.
What is the purpose of OWASP’s top proactive controls?
To provide a set of useful best practices for application security
It also helps track how web application security threats evolve over time.
What does the proactive control ‘Define Security Requirements’ involve?
Implementing security throughout the development process
This ensures security is considered at every stage of development.
Fill in the blank: ‘Leverage Security Frameworks and Libraries’ means utilizing _______.
Preexisting security capabilities
This makes securing applications easier.
What is a key practice for securing database access?
Prebuild SQL queries to prevent injection
Proper configuration of databases for secure access is also important.
What should be done to user input to ensure security?
Treat it as untrusted and filter appropriately
This helps prevent various types of attacks, including injection attacks.
What does ‘Implement Digital Identity’ involve?
Using multifactor authentication, secure password storage, and session handling
This enhances the security of user identities.
What is the principle of least privilege in access controls?
Apply the principle of least privilege
Deny all requests by default and require access control checks.
How should sensitive data be handled during error management?
Errors should not provide sensitive data
Applications should be tested to ensure they handle problems gracefully.
What are APIs?
Interfaces between clients and servers or applications and operating systems
They define how the client requests information and how the server responds.
What are key components of API security?
Authentication, authorization, proper data scoping, rate limiting, input filtering, monitoring and logging
These measures help secure APIs from vulnerabilities.
What does OWASP’s API Security Project provide?
A breakdown of API security techniques
It offers guidance on how to secure APIs effectively.
True or False: Security professionals are often asked to write scripts or programs that can access APIs.
True
This is common in security-related tasks to pull data from APIs.
What percentage of applications scanned by Veracode in 2023 exhibited at least one security issue?
74 percent
What is the purpose of software security testing?
To identify flaws in the code of applications.
What are the two main types of code analysis mentioned?
Static code analysis and dynamic code analysis
What does static code analysis focus on?
Understanding how the program is written and what the code is intended to do
True or False: Static code analysis executes the program.
False
What is fuzz testing also known as?
Fuzzing
What does dynamic code analysis rely on?
Execution of the code while providing it with input
What are the advantages of automated tools in software security testing?
They provide an easier way to verify that code is more secure and handle large volumes of tests
Fill in the blank: Fuzz testing involves sending _______ to an application to test its handling of unexpected data.
invalid or random data
What does regression testing ensure after code changes are made?
That the fixes didn’t create new security issues
What is the main limitation of fuzzing?
It tends to only identify simple problems and may not provide complete code coverage
What type of problems can static code analysis help identify?
Programming and syntax errors, internal business logic problems
What is the preferred method for conducting dynamic code analysis?
Automated testing
What does fuzzing help detect in applications?
Input validation issues, logic issues, memory leaks, error handling
What is manual static code analysis sometimes referred to as?
Code understanding
True or False: Dynamic testing provides specific remediation suggestions.
False
What does Veracode provide annually regarding software security?
A yearly review of the state of software security
What is the main goal of analyzing and testing code?
To understand what the code does, how it performs tasks, and where flaws may occur
Fill in the blank: Static code analysis can be conducted using _______ tools or manually.
automated
What are injection vulnerabilities?
Injection vulnerabilities are primary mechanisms that attackers use to break through a web application and gain access to the systems supporting that application.
What is a SQL injection attack?
A SQL injection attack involves supplying malicious SQL code to a web application to manipulate database queries.
What might a typical SQL query for a search function look like?
SELECT ItemName, ItemDescription, ItemPrice FROM Products WHERE ItemName LIKE ‘%searchTerm%’
In a SQL injection attack, what might an attacker input to retrieve customer data?
orange tiger pillow’; SELECT CustomerName, CreditCardNumber FROM Orders; –
What is blind SQL injection?
Blind SQL injection is a technique used when attackers cannot see the results of their queries directly.
What is a content-based blind SQL injection attack?
A content-based blind SQL injection attack tests whether the application interprets injected code by manipulating input.
How can an attacker test for SQL injection vulnerability using a specific input?
By entering ‘52019’ OR 1=1;– in an input field.
What is the outcome of the query: SELECT FirstName, LastName, Balance FROM Accounts WHERE AccountNumber = ‘52019’ OR 1=1?
It matches all results in the Accounts table.
What does the input ‘52019’ AND 1=2;– accomplish in SQL injection?
It results in a query that never returns any results.
What is a timing-based SQL injection attack?
A timing-based SQL injection attack uses the time it takes to process a query to infer information about the database.
What command can be used in a timing-based SQL injection to introduce a delay?
WAITFOR DELAY ‘00:00:15’
What is the purpose of using a timing-based attack to discover a password?
To check each character of the password one by one by introducing delays.
What are code injection attacks?
Code injection attacks seek to insert attacker-written code into legitimate code created by a web application developer.
Give an example of another type of injection attack besides SQL injection.
- LDAP injection
- XML injection
- DLL injection
What is cross-site scripting (XSS)?
Cross-site scripting is a code injection attack that inserts HTML code written by an attacker into web pages created by a developer.
What is a command injection attack?
A command injection attack allows an attacker to execute commands on the operating system via a web application.
How might an attacker exploit a web application that creates directories?
By inputting ‘mchapple & rm -rf /home’ to execute system commands.
What is the risk of an application using system() calls?
It can allow attackers to manipulate the operating system if input is not properly validated.
What is the primary purpose of authentication mechanisms in applications?
To confirm the identity of users and devices and verify authorization for specific actions.
Why are passwords considered a weak form of authentication?
They are easily defeated due to being a knowledge-based authentication technique.
Name one method attackers use to discover a user’s password.
Conducting social engineering attacks.
What is credential brute-forcing?
An exhaustive search to crack weakly hashed passwords obtained from a target system.
What are common default username/password combinations that attackers test?
- administrator/password
- admin/password
- admin/admin
What is the difference between credential-stealing attacks and session hijacking attacks?
Credential-stealing attacks authenticate using a stolen account; session hijacking takes over an already authenticated session.
How do most websites manage user sessions?
Using cookies managed in the user’s browser.
What does a cookie contain in the context of session authentication?
An authentication string that ties the cookie to a particular user session.
True or False: Cookies are similar to physical badges used for authentication at events.
True
How can an attacker steal a cookie?
By eavesdropping on unencrypted network connections.
What is cookie manipulation in the context of session attacks?
Altering the details sent back to the website or using the cookie to gain access.
What is a session replay attack?
Using a stolen cookie to impersonate a user to a website.
What is the purpose of marking cookies with the SECURE attribute?
To ensure cookies are only transmitted over encrypted channels.
What is the NTLM pass-the-hash attack?
An attack where stored NTLM password hashes are used to gain access to systems.
What is an unvalidated redirect in web applications?
Allowing redirection to any URL, which can be exploited by attackers.
How can developers protect against unvalidated redirects?
By performing validated redirects against an approved list of URLs.
Fill in the blank: An attacker might use an unvalidated redirect to redirect a user to a _____ site.
malicious
What is a common issue in application development regardless of the chosen framework or language?
The same security problems continue to appear in applications all the time.
Why are comments in source code important?
They provide documentation of design choices, explain workflows, and offer details crucial to other developers.
What risk do comments in code pose to security?
They can provide attackers with a roadmap explaining how code works, potentially revealing critical security details.
What should developers do with comments in production versions of the code?
Remove comments from production versions before deployment.
How can attackers exploit errors in code?
By creating unexpected situations that test the boundaries of the code.
What is a defense-in-depth approach in cybersecurity?
It involves implementing multiple layers of security controls to protect against threats.
What is the risk of overly verbose error handling routines?
They may expose too much information about the code’s inner workings, aiding attackers.
What is a backdoor vulnerability?
A hard-coded maintenance account that allows bypassing normal authentication.
What is the consequence of hard-coding credentials in source code?
If disclosed, those credentials can be used by outsiders to gain unauthorized access.
What does package monitoring involve?
Keeping track of all third-party libraries, understanding their functions, and updating them to secure versions.
What is resource exhaustion?
When a system consumes all available memory, storage, or processing time, rendering it disabled.
What is a memory leak?
When an application fails to return memory to the operating system that it no longer needs.
What issue arises from dereferencing a null pointer?
It causes a null pointer exception, potentially providing an attacker with debugging information.
What is a buffer overflow attack?
When an attacker manipulates a program to place more data into memory than allocated.
What is memory injection in the context of buffer overflow attacks?
The maliciously inserting of information into memory to overwrite other data.
What are the three important terms related to race conditions?
- Time-of-Check (TOC)
- Time-of-Use (TOU)
- Target of Evaluation (TOE)
What is a Time-of-Check-to-Time-of-Use (TOCTTOU) issue?
Occurs when a program checks access permissions too far ahead of a resource request.
What can unprotected APIs lead to?
Unauthorized use of functions and potential modification of services.
What should be used to secure APIs not intended for public use?
An authentication mechanism, such as an API key, accessed over encrypted channels.
What is the primary purpose of standardizing tasks in cybersecurity?
To identify opportunities for automation
What are the two key characteristics of processes suitable for automation?
Repeatable and do not require human interaction
What does SOAR stand for?
Security Orchestration, Automation, and Response
How can SOAR platforms improve an organization’s use of threat intelligence?
By enriching data about ongoing incidents with information about emerging threats
Name three scripting languages commonly used in cybersecurity automation.
- Python
- Bash
- PowerShell
Fill in the blank: Automated scripts can handle the process of ______ access to systems and networks.
user provisioning
What is one use case for automation in resource management?
Automating the allocation and deallocation of system resources
True or False: Automation can prevent violations of security protocols.
True
What benefit does automation provide regarding reaction time to security incidents?
Reduces reaction time
List two benefits of automation and scripting in cybersecurity.
- Enhancing operational efficiency
- Reducing reaction time
What is a potential challenge of implementing automation?
Complexity in development and management of automation scripts
What is a single point of failure in the context of automation?
Over-reliance on automation that could impact operations if a script malfunctions
Fill in the blank: Ongoing supportability of scripts requires dedicated ______.
resources
What can be a consequence of outdated automated scripts?
Technical debt
How does automation act as a workforce multiplier?
By handling repetitive tasks, increasing team capacity
What can automation ensure regarding security baselines?
Consistent application across systems and networks
What is one way automation improves employee satisfaction?
By automating mundane tasks
Fill in the blank: Automation can streamline the ______ process in IT operations.
ticketing
What integral role does software play in organizations?
Performs tasks ranging from financial transactions to the management of sensitive physical infrastructure components.
What must cybersecurity professionals ensure about the software used in their environment?
Undergoes rigorous testing to determine if it meets business requirements and does not expose the organization to cybersecurity risks.
What is necessary to achieve software security goals?
A strong understanding of different types of vulnerabilities.
What types of applications are mentioned in relation to vulnerabilities?
Client-server and web applications.
What are the main focuses of the chapter?
Vulnerabilities in source code and tools used to manage software security risks.
Cybersecurity professionals must test software to ensure it does not expose the organization to _______.
[serious cybersecurity risks]
True or False: The chapter discusses the importance of understanding software vulnerabilities.
True
