6. SecureSoftwareDevelopement - Control Questions Flashcards

1
Q

What is the CVE?

A

○ publicly available database of known vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why is developing secure software difficult?

A

○ The table is tilted
■ Developer constraints: time, resource, functionality
■ Attacker constraints: motivation and preparedness
○ Security testing is challenging
■ Functional testing: how the system should work
■ Security testing: how the system should NOT work
○ Weak business motivation
■ Measurement is difficult → no customer enforced competition
○ End-users suffer
■ Developers are not motivated enough

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

● Outline the stages of Microsoft’s Secure Development Lifecycle!

A

ábra

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

● Outline the stages of Microsoft’s Secure Development Lifecycle!

A

○ Development team: who does the actual development of the product
○ Development Team Security Contact: member of the dev team, security advisor contacts this person with security info
○ Security advisor:
■ point of contact between the devs and sec team (if there is one)
■ holds SDL kick-off meeting
■ hold design and threat-model reviews with the dev team
■ analyzes security related bugs
■ addresses security and privacy questions/ideas
○ Security Leadership Team: regular communication about security and privacy bug counts, updates, security status in general

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

● What is a bug tracking system?

What is required for successful bug tracking?

A

○ Database about bugs
○ Include security/privacy related info as well!
○ Required fields: ábra

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

● What does the design principle “economy of mechanism” say?

A

○ The more complex the SW, the greater chance of bugs

○ Smaller code base is easier to maintain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

● What does the design principle “fail-safe defaults” say?

A

○ White-listing approach
■ Initially: access is denied
■ If access is requested, check that it is permitted
○ Result: false negative
■ Access is denied, when it should have been permitted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

● What does the design principle “complete mediation” say?

A

○ Check every access to every object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

● What does the design principle “separation of privilege” say?

A

○ Multiple conditions should be met before granting permissions
■ Systems are more robust and flexible
● Single check may fail or be subverted
○ Prerequisite: compartmentalization
■ Break the system down into smaller components
■ Each component can check a condition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

● What does the design principle “least privilege” say?

A

○ Programs should run with the minimum amount of privilige that is necessary to accomplish the task
○ Limits the damage from accidents and errors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

● What does the design principle “open design” say?

A

○ Don’t depend on the secrecy of the design

○ That is security by obscurity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

● What does the design principle “least common mechanism” say?

A

○ Minimize the amount of mechanism
■ Common to more than one user, and
■ Depended on by all users
○ Sharing is a channel to information transmission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

● What does the design principle “psychological acceptability” say?

A

○ If users do not accept it, they will bypass it
○ Consider the human in the loop!
○ Interaction with the system should be easy and intuitive
○ Resource access should remain easy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

● What is the attack surface of the software?

A

○ Consider the attack surface of the software!
■ All paths for data/commands into and out of the application
■ Code that protects these paths
■ All valuable data used in the application
■ Code that protects these data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

● Your software detects that the input is corrupted. What should the software do?

A

○ Input: filtering and validation
■ – Terminate on suspicious input, don’t try to fix it !
■ – Whitelist strategy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

● Describe the signedness bug!

A
○	Signedness bugs occur when an unsigned variable is interpreted as signed,
or when a signed variable is interpreted as unsigned.  This type of
behaviour can happen because internally to the computer, there is no
distinction between the way signed and unsigned variables are stored.
// signedness bug
17
Q

● Are the results of arithmetic operations mathematically correct? Why?

A

○ No guarantee that the result of arithmetic operations is mathematically correct
○ Mert az unsigned int csak pozotív míg az int negatív értéket is felvehet.

18
Q

● Name 3 examples of improper error handling!

A

○ Improper handling of errors can introduce a variety of security problems for a web site. The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to the user (hacker). These messages reveal implementation details that should never be revealed. Such details can provide hackers important clues on potential flaws in the site and such messages are also disturbing to normal users.

●	Nem egyértelmű hibajelzés és kezelés
●	Error-t vagy Exception-t használjunk?
●	Kivétel után nincs érvényes állapot helyreállítás
●	Helytelen kezelés 
●	Információ kiszivárogtatás
// Improper_Error_Handling#Description
19
Q

● What information required for logging?

A

○ When: log date and time, event date and time
○ Where: app identifier or address, code location, geolocation, service
○ Who: IP address, user identity (user name, licence number, …)
○ What: type of event, severity of event, description, security relevant flag

20
Q

● What is the importance of logs?

A
○	Logs are the main source of data for: 
■	Identifying security incident 
■	Monitoring policy voilations 
■	Assisting non-repudiation controls 
■	Incident investigation
21
Q

● What type of data should never be logged?

A
○	What not to log? 
■	Keys 
■	Passwords 
■	Source code 
■	Tokens 
■	And other sensitive information
22
Q

● When should security testing be performed?

A

○ during each software development lifecycle phase

23
Q

● What is white-box security testing?

A

○ Tester has knowledge of how the system is implemented → Requires access to the source code

24
Q

● Name 4 approaches to white-box security testing!

A

○ Data flow analysis: how data is handled within the application
○ Control flow analysis: how control flow changes
○ Code review: manual or automatized
○ Code-based fault injection: injects source code to force changes to the state of the application, usually for testing anomalous circumstances

25
Q

● What is black-box security testing?

A

○ Tester has limited knowledge of the system under test → Only inputs and outputs are observable

26
Q

● Name 4 approaches to black-box security testing!

A

○ Syntax testing: generating a wide range of legal and illegal input values
○ Exploratory testing: testing without specific expectation about outcomes
○ Test scaffolding: support tools to carry out tests e.g. injecting error code
○ Coded scripting: write a series of instructions that describe user behavior

27
Q

● What is the goal of penetration testing?

A

○ Process of attempting to gain access to resources without normal means of access
○ Success: obtaining/subverting protected information
○ Demonstrates what an attacker could do

28
Q

● What are the phases of penetration testing?

A

○ Reconnaissance: learn as much about the system as possible
■ Tools: Nmap, Nessus, Jack the Ripper, etc.
○ Check public databases for known vulnerabilities
○ Launch attack(s) based on collected information
■ Tool: Metasploit framework
○ Compile the results into a legible format for decision makers

29
Q

● What is the difference between the security response plan and the incident response plan?

A

○ Create the security response plan → Security Response Center
■ New vulnerabilities will appear
■ What should you do when your application is affected as well?
■ How can others get in touch if they uncover a vulnerability?
○ Create the incident response plan → Incident Response Team
■ What if the vulnerability disclosure was not responsible?
■ What if your service is attacked?

30
Q

● Describe the vulnerability lifecycle!

A

ábra

31
Q

● What is security response center?

What are its tasks during Post-SDL Response phase?

A

ábra

32
Q

● What are tasks of the development team during the security response process?

A

ábra

33
Q

● What is the task of the incident response team?

A

ábra