Chapter 3 - Secure Software Design

Question 1

What causes the majority of software security issues?

Answer 1

Insecure or incomplete design.

Question 2

What methods can be used for attack surface evaluation?

Answer 2

Threat models and misuse case modeling

Question 3

What are the benefits to designing security into software?

Answer 3

• Resiliency and recoverability
• Quality, maintainability, less prone to errors
• Minimal redesign and consistency
• Addressed business logic flaws

Question 4

What is a business logic flaw?

Answer 4

A flaw where the software is operating as designed, but the design itself makes circumventing the security policy possible.

Question 5

What is the difference between a flaw and a bug?

Answer 5

Flaws are design or architectural defects. Coding or implementation constructs that can cause a breach in security are bugs.

Question 6

What is a semantic issue?

Answer 6

A logic flaw.

Question 7

What are the core security elements?

Answer 7

Confidentiality, Integrity, Availability, Authentication, Authorization, and Auditing.

Question 8

What are the types of cryptography?

Answer 8

Covert and Overt

Question 9

What are the types of covert cryptography?

Answer 9

Steganography and digital watermarking

Question 10

What are the types of overt cryptography?

Answer 10

Hashing and encryption

Question 11

What are the types of encryption?

Answer 11

Symmetric and asymmetric

Question 12

What is “work factor”?

Answer 12

In cryptanalysis, the amount of work required to defeat an algorithm.

Question 13

What is the only provably unbreakable encryption?

Answer 13

The one time pad

Question 14

Describe symmetric encryption

Answer 14

It’s characterized by using a single key for encryption and decryption that must be shared between the sender and receiver.

Question 15

What is the benefit to symmetric key encrryption?

Answer 15

It’s fast and efficient.

Question 16

What are the challenges to symmetric key encryption?

Answer 16

• Key exchange and management require a secure, out-of-band mechanism.
• Scalability. Need a unique key for each pair of sender/recipient
• No nonrepudiation

Question 17

What kind of algorithm is RC-2?

Answer 17

Symmetric

Question 18

What kind of algorithm is RC-4?

Answer 18

Symmetric

Question 19

What kind of algorithm is RC-5?

Answer 19

Symmetric

Question 20

What is the key size of DES?

Answer 20

56 bits

Question 21

What is the key size of skipjack?

Answer 21

80 bits

Question 22

What is the key size of IDEA?

Answer 22

128 bits

Question 23

What is the key size of blowfish

Answer 23

128 bits

Question 24

What is the key size of 3DES?

Answer 24

168 bits

Question 25

What is the key size of twofish?

Answer 25

256 bits

Question 26

What is the key size of RC6?

Answer 26

256 bits

Question 27

What is the key size of AES/Rijndael?

Answer 27

256 bits

Question 28

What other term is used for nonrepudiation protection?

Answer 28

Proof-of-origin protection

Question 29

What advantages does public key crypto have?

Answer 29

• Key exhange is easier.
• Scalability. Each user only needs 2 keys (public/private)
• Addresses nonrepudiation

Question 30

What is the disadvantage of public key crypto?

Answer 30

It’s computationally intensive, so slower.

Question 31

List common public key crypto algorithms.

Answer 31

RSA
El Gamal
Diffie-Hellman
Elliptic Curve Cryptosystem

Question 32

What is Elliptic Curve Cryptosystem ideal for?

Answer 32

Small hardware devices such as smart cards and mobile devices.

Question 33

What does a digital certificate include?

Answer 33

Public keys, algorithm information, owner and subject data, digital signature of the CA, and a validity date range.

Question 34

What are the types of digital certificates.

Answer 34

Personal
Server
Software publisher

Question 35

What hsould you use when copyright and IP protection are an issue?

Answer 35

Digital watermarking

Question 36

What should you use if data confidentiality in processing, transit, storage, and archiving need to be assured?

Answer 36

Hashing or encryption.

Question 37

What features can be used to assure integirty?

Answer 37

Hashing
Referential integrity
Resource locking
Code signing

Question 38

What is a message digest (according to the book)?

Answer 38

The original message and its hash value.

Question 39

What is collision free or collision resistance?

Answer 39

A property of hash functions where it is computationally infeasible to find two inputs that hash to the same value.

Question 40

What does salting a hash do (according to the book)?

Answer 40

Improve collision resistance

Question 41

What is a dictionary attack?

Answer 41

A brute force attack that attempts to thward security mechanisms using an exhaustive list.

Question 42

What are common hash functions?

Answer 42

MD2, MD4, MD5, SHA-[012].

Question 43

Describe hte MD series of hash functions.

Answer 43

All use a 128 bit output.

Proven not to be collision resistant.

Question 44

Describe the SHA family of hash functions.

Answer 44

SHA-[01] uses a 160 bit output.
SHA-224 generates 256 bit output
SHA-256 generates 256 bit output
SHA-384 generates 512 bit output
SHA-512 generates 512 bit output.

I think those are wrong.

Question 45

Describe HAVAL.

Answer 45

HAVAL is a hash function with variable length output (128, 160, 192, 224, 256)

Question 46

Which hash function is considered broken and no longer suitable for use?

Answer 46

MD5

Question 47

What is referential integrity?

Answer 47

Ensuring that data is not left in an orphaned state.

Question 48

What are cascading deletes?

Answer 48

A process that ensures referential integrity by deleting data from other tables when data is deleted in a table that references them if they share a common key.

Question 49

What is resource locking?

Answer 49

Disallowing concurrent operations on an object.

Question 50

What is deadlock?

Answer 50

A condition that can result from improper resource locking where multiple threads are all waiting for each other to release the object.

Question 51

What is connection pooling?

Answer 51

A database access efficiency methanism where a number of connections are cached for reuse.

Question 52

What factors should be considered in authentication design?

Answer 52

SSO and multifactor authentication, as well as the type of authentication required as specified int he requirements docs.

Question 53

Why can SSO have a large security impact?

Answer 53

Because credentials are only verified once.

Question 54

What should you consider in Authorization design?

Answer 54

Impact on performance, separation of duties, least privilege

Question 55

What should auditing data include?

Answer 55

Who, What, Where, When

Question 56

What is modular programming?

Answer 56

a software design technique in which the entire program is broken down into smaller subunits or modules

Question 57

What does it mean when a module is cohesive?

Answer 57

each module is designed to perform one and only one logical operation.

Question 58

What is the Single Responsibility Principle?

Answer 58

A software engineering principle related to modularity. EAch code unit should only do one thing and have one purpose.

Question 59

What is coupling.

Answer 59

Coupling is a reflection of the degree of dependencies between modules, i.e., how dependent one module is to another.

Question 60

How hsould modules be with respect to cohesion and coupling?

Answer 60

They should be highly cohesive and loosely coupled.

Question 61

How hsould modules be with respect to cohesion and coupling?

Answer 61

They should be highly cohesive and loosely coupled.

Question 62

What is separation of duties?

Answer 62

Compartmentalizing software funcitonality into two or more conditions, all of which must be satisfied before an operation can complete.

Split cryptographic keys, for example.

Question 63

What is defense in depth?

Answer 63

Also called layered defense.

Using multiple layers of controls such that a single vulnerability does not result in a compromise.

Question 64

What is “fail secure”?

Answer 64

A security principle that ensures that the software reliably functions when attacks, and is rapidly recoverable into a normal business and secure state in the event of design or implementation failure.

Question 65

What does “fail secure” preserve?

Answer 65

Resiliency.

Question 66

What is resiliency?

Answer 66

Confidentialy, integrity, availability

Question 67

What is economy of mechanism?

Answer 67

A secure design principle which states that the more complex the design of the software, the more likely there are vulnerabilties.

Simpler is generally more secure.

Question 68

What considerations should we keep in mind with respect to economy of mechanism?

Answer 68

• Avoid unnessary functionality or unneeded security mechanisms
• Strive for simplicity
• Strive for operational ease of use

Question 69

What is complete mediation?

Answer 69

A security principle that states that access requests need to be mediated each time, every time, so that authority is not circumvented in subsequent requests.

Question 70

Other hting about complete mediation:

Answer 70

In the design phase, identify all possible code paths that access privileged and sensitive resources. The design must require the code paths to use a single interface that performs access control checks before performing the requested operation.

Question 71

What is Kerchoff’s principle?

Answer 71

All information about a cryptosystem except the key should be public, and the security of the cryptosystem is dependent on the secrecy of the key.

Question 72

What is hardcoded credentials in source code an example of?

Answer 72

Security through obscurity.

Question 73

What are the principles of open design?

Answer 73

• The security of software should not be dependent on the secrecy of the design
• Security through obscurity should be avoided
• Design of protection mechanisms should be open for scrutiny by members of the community.

Question 74

What is Least Common Mechanisms?

Answer 74

the security principle by which mechanisms common to more than one user or process are designed not to be shared.

Question 75

What is psychological acceptability?

Answer 75

the security principle that states that security mechanisms should be designed to maximize usage, adoption, and automatic application.

Question 76

What features should security controls have to promote psychological acceptability?

Answer 76

• Be easy to use
• Do not affect accessibility
• Be transparent to the user

Question 77

What are the benefits of using tested and proven existing libraries and common components?

Answer 77

• The attack surface is not increased (you’re already using the code)
• No new vulnerabilities are introduced
• Can also increase productivity

Question 78

What is unmanaged code?

Answer 78

Code that:

• isn’t managed by any runtime environment
• is compiled to native code that will execute only on the processor architecture it’s compiled for
• memory allocation is not managed. Pointers can be manipulated
• Requires developers to write routines to check memory allocation, array bounds, etc.

Question 79

What is managed code?

Answer 79

Code that has the following characteristics:

• Is not directly executed by the OS, but is managed by a run-time environment
• Is not compiled into native code, but into an Intermediate Language (IL)
• Not generally susceptible to buffer overflows, format string vulnerabilties
• Relatively shorter development time because memory management, exception handleing, bounds checking, garbage collection, and type safety checking are automatically handled by the runtime environment.

Question 80

What is an inference attack?

Answer 80

gleaning sensitive information about the database from presumably hidden and trivial pieces of information using data mining techniques without directly accessing the database

Question 81

What is an aggregation attack?

Answer 81

An attack where information at different, security classification levels, which are primarily nonsensitive in isolation, end up becoming sensitive information when pieced together as a whole.

Question 82

What is polyinstantiation?

Answer 82

Polyinstantiation means that there exist several instances (or versions) of the database information, so that what is viewed by a user is dependent on the security clearance or classification level attributes of the requesting user.

Question 83

What are the two ways to accompliah database encryption?

Answer 83

• Native DBMS encryption

* Cryptographic resources outside the database.

Question 84

What is TDE?

Answer 84

Transparent Database Encryption. Cryptographic operations on a database that are transparent to the application layer. Can have substantial performance impact.

Question 85

What is the primary weakness to using native DBMS encryption?

Answer 85

The key is stored in the database.

Question 86

What is normalization?

Answer 86

A formal technique to organize data so that redundancy and inconsistency are eliminated.

Question 87

What is first normal form?

Answer 87

No Repeating Groups or fields in a table, e.g. fields with multiple values.

Question 88

What is second normal form?

Answer 88

No duplicates / eliminate redundant data

Also informally “eliminate non key-dependent duplicate data” rule.

Question 89

What is third normal form?

Answer 89

Data not dependent on the primary key of the table must be elminiated and stored in its own table.

Question 90

What is the drawback to database normalization?

Answer 90

Performance degradation

Question 91

What is denormalization?

Answer 91

Decreasing the normal form of a database deliberately, usually for performance reasons.

Question 92

What is a trigger?

Answer 92

A special type of procedure that is automatically executed upon the occurrence of certain conditions within the database.

Question 93

What is a database view?

Answer 93

a customized presentation of data that may be held in one or more physical tables (base tables) or another view itself.

A virtual table.

Question 94

What is DML?

Answer 94

Database Manipulation Language (INSERT, UPDATE, DELETE, etc).

Question 95

What is a SMI?

Answer 95

A Security Management Interface

An interface used to manage the security of the software itself. Administrative. HIgh level of privilege.

Question 96

Why is it important to secure SMIs?

Answer 96

They typically run at high privilege levels.

Question 97

What controls should be used for SMIs?

Answer 97

• Avoid remote connectivity and administration
• Employ data protection in transit, using channel security protection measures (SSL, IPSec)
• Use least privilege accounts and RBAC

Question 98

What design processes need to be completed for secure software?

Answer 98

• Attack surface evalution
• threat modelng
• control identification and prioritization
• documentation

Question 99

What is attack surface evaluation?

Answer 99

A software or application’s attack surface is the measure of its exposure of being exploited by a threat agent, i.e., weaknesses in its entry and exit points that a malicious attacker can exploit to his or her advantage.

Question 100

What is RASQ

Answer 100

Relative Attack Surface Quotient

Question 101

What is attack bias?

Answer 101

A value, based on its severity, for attack points in attack surface evaluation.