Chapter 5 : Application Security

Question 1

Securing Web Browsers

Answer 1

• Avoid newest versions and disable auto update (new versions are unstable)
  
  • Consider organizational requirements and OS
  • General Browser Security Procedures
    > Implement Policies
    Hand written, browser settings, GPO(Windows), OS setting etc
    > Train Users
    > Use proxy and content filter
    Proxy serves as an intermediate cache between server and client
    Configured in browser settings / domain controller
    Beware of malicious proxy configurations
    > Secure against malicious code
    Configure Java, ActiveX, Javascript, Flash media etc

Question 2

• Web Browser Concerns and Security Methods

Answer 2

Basic Methods
			> Timely Updates
			> Adblock, pop up blocking
			> Implement security zones
			> Control ActiveX/Java/Plugins
			> Avoid jailbreaking (mobile)

Question 3

How can you secure Cookies?

Answer 3

> Configure and control through browser settings

> Related threat : Session Hijacking

Question 4

Securing LSO(Locally Shared Objects - Flash)

Answer 4

> Flash version of cookies, may be used to track users

> Configure and control in Flash Player Settings Manager

Question 5

Securing Addons / Plugins

Answer 5

> Inherent security risk, disable all

> Most IE plugins made with vulnerable ActiveX

Question 6

Advanced Browser Security

Answer 6

> Browser temp files – configure to automatically flush
> Disable saved passwords
> Configure a minimum version limit on TLS/SSL
> Disable all 3rd party plugins
> Consider using a VPN or virtual machine for extra separation

Question 7

Principle of Least Functionality

Answer 7

don’t give tools users don’t need

Question 8

User Account Control (Windows)

Answer 8

• Keeps everyone on regular user level of access by default

- Prompts required to access any admin right required things

Question 9

Securing common Windows programs 1. Outlook

Answer 9

> Install latest update, upgrade to newer version of Office
> Use email whitelisting to remove junk email
> Read email in text format instead of HTML
> Enable attachment blocking
> Use encryption - SPA (Secure Password Authentication), PGP, SSL

Question 10

Securing common Windows programs 2. Word

Answer 10

> Using passwords for opening/modifying documents
> Read only settings
> Digital certificates

Question 11

Securing common Windows programs 3. Excel

Answer 11

> Password protected worksheets, no macro

> Excel encryption

Question 12

Mobile Applications

Answer 12

• Disable GPS

- Configure strong passwords

Question 13

Server Applications - e.g. FTP, Email, Web, SQL database

Answer 13

• Change default username / passwords

- Don’t consolidate multiple services into single machine

Question 14

SDLC

Answer 14

(Software Development Life Cycle)

Question 15

SDLC- Waterfall

Answer 15

> Traditional method

> Requirements are decided before development

Question 16

SDLC- Agile

Answer 16

> RAD (Rapid Application Development) approach
> Relatively new, Breaks development down to incremental changes
> Requires high dedication from members

Question 17

SDLC- DevOps

Answer 17

> Deployment tool, often used together with Agile method

Question 18

• Secure code review

Answer 18

> In depth code review for security bugs

> Included before fuzzing or penetration testing

Question 19

• Threat Modeling

Answer 19

> Identifying and prioritizing potential threats

Question 20

• Common Security Principles

Answer 20

1. Least Privilege
   2. Defense in Depth
   3. Never trust user input
   4. Minimizing attack surface
   5. Secure defaults
   6. Provide authenticity and integrity (program signatures)
   7. Fail securely (Error handling)
   8. Thorough testing of security fixes and patches

Question 21

White box vs Black box testing

Answer 21

> white box, black box, gray box, stress testing, pentesting etc

Question 22

Compile time vs runtime errors

Answer 22

> Reminder that both software and hardware has runtime errors
> SHE (Structured Exception Handling) deals with both SW/HW

Question 23

Static vs Dynamic code analysis

Answer 23

> Static : No code execution, examines code with automated tools
> Dynamic : Runtime examination of code behavior for bugs
* Fuzzing is a form of dynamic code analysis

Question 24

Arbitrary and Remote Code Execution

Answer 24

> Shellcode injections

> Strong input validation, fuzz testing