Chapter 10- Secure Software Development

Question 1

What does SDLC stand for

Answer 1

Software Development Life Cycle

Question 2

is an organized process of developing a secure application throughout the life of the project.

Answer 2

Software Development Life Cycle (SDLC)

Question 3

What are the phases of SDLC?

Answer 3

• Planning and Analysis
• Software/Systems Design
• Implementation
• Testing
• Integration
• Deployment
• Maintenace

Question 4

Software develpment is performed in time-boxed or small increments to allow more adaptivity to change.

Answer 4

Agile

Question 5

Software develpoment and inforemation technology operations.

Answer 5

DevOps

Question 6

Users and processes should be run using the least amount of access necessary to perform a given function.

Answer 6

Least Privilege

Question 7

Layering of security controls is moe effective and secure than relying on a single control.

Answer 7

Defense in Depth

Question 8

Any input that is recieved from a user should undergo input validation prior to allowing it ot utilized by an application.

Answer 8

Never Trust User Inuput

Question 9

Reduce the amount of code used by a program, eliminate unneeded fuctionality, and require authentication prior to running additional plugins.

Answer 9

Minimize Attack Surface

Question 10

Default instalations should include secure configurations instead of requiring an administrator or user to add in additional security.

Answer 10

Create Secure Defaults

Question 11

Applications should be deployed using code signing to esure the program is not changed inadvertently or maliciously prior to delivery to an end user.

Answer 11

Authenticity and integrity

Question 12

Applications should be coded to properly conduct error handling for exceptions in order to fail securely instead of crashing.

Answer 12

Fail Securely

Question 13

If a vulnerability is identified, then it should be quickly and correctly patched to remove the vulnerablity.

Answer 13

Fix Security Issues

Question 14

SDKs must come from trusted sources to ensure no malicious code is being added

Answer 14

Rely on Trusted SDKs

Question 15

Occurs when a tester is not provided with any information about the system or program prior to conduction the test.

Answer 15

Black-box Testing

Question 16

Occurs when a tester is provided full details of a system including the source code, diagrams, and user credentials in order to conduct the test.

Answer 16

White-box Testing

Question 17

This is a mixture of black-box and white-box where the tester is given some amount of information about the system and conducts his testing as if he doesn’t have full access to it.

Answer 17

Gray-box Testing

Question 18

Provides control over what the application should do when faced with a runtime or syntax error.

Answer 18

Structured Exception Handling (SEH)

Question 19

Applications verigy that information received from a user matches a specific format or range of values.

Answer 19

Input Validation

Question 20

Source code of an applciation is reviewed manually or with automatic tools without running the code.

Answer 20

Static Analysis

Question 21

Analysis and testing of a program occurs while it is being executed or run.

Answer 21

Dynamic Analysis

Question 22

Injection of randomized data into a software program in an attempt to find system failures, memorey leaks, error handling issues, and improper input validation.

Answer 22

Fuzzing

Question 23

Code placed in computer programs to bypass normal authentication and other security mechanisms.

Answer 23

Backdoors

Question 24

Method of accessing unauthorized directories by moving through the directory structure on a reomote server.

Answer 24

Directory Traversal

Question 25

Occurs whena n attacker is able to execute or run commands on a victim computer.

Answer 25

Arbitrary Code Execution

Question 26

Occurs when an attacker is able to execute or run commands on a remote computer.

Answer 26

Remote Code Execution (RCE)

Question 27

Attack against a vulnerability that is unknown to the original developer or manufacturer.

Answer 27

Zero Day

Question 28

Occurs when a process stores data outside the memory range allocated by the developer.

Answer 28

Buffer Overflow

Question 29

A temporary storage area that a program uses to store data.

Answer 29

Buffer

Question 30

Over *5% of data breaches were caused by?

Answer 30

Buffer Overflow

Question 31

Reserved area of memory where the program saves the return address when a function call instruction is received.

Answer 31

Stack

Question 32

Occurs when an attacker fills up the buffer with NOP so that the return address may hit a NOP and continue on until it finds the attacker’s code to run.

Answer 32

Smash the Stack

Question 33

Method used by programmers to randomly arrange the different address spaces used by a program or process to prevent buffer overflow exploits.

Answer 33

Address Space Layout Randomization

Question 34

Occurs whena an attacker embeds malicious scripting commands on a trusted website

Question 35

Attempts to get data provided bt the attacker to be saved on the web server by the victim.

Answer 35

Stored/Persistent

Question 36

Attempts to have a non-persistent effect activated by a victim clicking a link on the site.

Answer 36

Reflected

Question 37

Attempt to exploit the victim’s web browser.

Answer 37

Document Object Model (DOM)-based

Question 38

Occurs when an attacker forces a user to execute actions on a web server for which they are already authenticated.

Answer 38

Cross-Site Request Forgery (XSRF/CSRF)

Question 39

Attck consisting of the isertion or injection of an SQL query via input data from the client to a web application.

Answer 39

SQL Injection

Question 40

Insertion of additional information or code through data input from a client to an application.

Answer 40

Injection Attack

Question 41

XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it.

Answer 41

XML Bomb (Billion Laughs Attack)

Question 42

an attack that embeds a request for a local resource.

Answer 42

XML External Entity (XXE)

Question 43

A sfotware vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.

Answer 43

Race Condition

Question 44

A software vulnerablility that occurs when the code attempts to ermove the relationship between a pointer and the thing it points to.

Answer 44

Dereferencing

Question 45

The potential vulnerablility that occurs when there is a change between when an app checked a resource and when the app used the resource.

Answer 45

Time of Check to Time of Use (TOCTTOU)

Question 46

Any code that is used or invoked outside the main program development process.

Answer 46

Insecure Components

Question 47

Any program that does not properly record or log detailed enough information for an analyst to perform their job.

Answer 47

Insufficent Logging and Monitoring

Question 48

Any program that uses ineffective credentials or configurations, or one in wich the defaults have not been changed for security.

Answer 48

Weak or Default Configuration.