Chapter 6 - Application Security Flashcards
Software Development Life Cycle (SDLC)
The SDLC describes the steps in a model for software development throughout its life.
What are the main steps of the Software Development Life Cycle?
- Planning
- Requirements
- Design
- Coding
- Testing
- Training and Transition
- Ongoing Operations and Maintenance
- End of Life Decommissioning
What are the four most common types of Code Deployment Environments?
- Development Environment
- Test Environment
- Staging Environment
- Production Environment
DevOps
DevOps combines software development and IT operations with the goal of optimizing the SDLC. This is done by using collections of tools called toolchains to improve the SDLC processes.
Continuous Integration (CI)
Continuous Integration (CI) is a development practice that consistently checks code into a shared repository. The main goal of this approach is to enable the use of automation and scripting to implement automated courses of action that result in continuous delivery of code.
Continuous Deployment/Delivery (CD)
Continuous Deployment (CD) rolls out tested changes into production automatically as soon as they have been tested. Using continuous integration and continuous deployment methods requires building continuous validation and automated security testing into the pipeline testing process.
Application Programming Interfaces (API)
APIs are interfaces between clients and servers or applications and operating systems that define how the client should ask for information from the server and how the server will respond.
Static Code Analysis
Static Code Analysis is conducted by reviewing the code for an application. Static Analysis does not run the program; instead, it focuses on understanding how the program is written and what the code is intended to do.
Dynamic Code Analysis
Dynamic Code Analysis relies on execution of the code while providing it with input to test the software. Automated dynamic analysis will run all of the interfaces that the code exposes to the user with a variety of inputs, searching for vulnerabilities.
Fuzzing
Fuzzing involves sending invalid or random data to an application to test its ability to handle unexpected data. The application is monitored to determine if it crashes, fails or responds in an incorrect manner.
Injection Vulnerabilities
Injection Vulnerabilities allow an attacker to supply some type of code to the web application as input and trick the web server into either executing that code or supplying it to another server to execute.
Blind Content-Based SQL Injection
In a Blind Content-Based SQL Injection attack, the perpetrator sends input to the web application that tests whether the application is interpreting injected code before attempting to carry out an attack.
Blind Timing-Based SQL Injection
In a Blind Timing-Based SQL Injection attack, the amount of time required to process a query is used as a channel for retrieving information from a database.
Session Hijacking
Session Hijacking attacks take over an already authenticated session with a website/application. An attacker can steal a cookie managed by the target user’s web browser to impersonate them and gain access.
Unvalidated Redirects
Unvalidated Redirects allow an attacker to redirect the user to a malicious site. Some web applications allow the browser to pass destination URLs to the application and then redirect the user to that URL at the completion of their transaction.
Insecure Direct Object Reference
Insecure Direct Object References allow users to view information that exceeds their authority. These attacks can occur when a web application does not perform authorization checks for each request.
Directory Traversal
Directory Traversal attacks work when web servers allow the inclusion of operators that navigate directory paths and filesystem access controls don’t properly restrict access to files stored elsewhere on the server.
File Inclusion Attacks
File Inclusion Attacks execute the code contained within a file, allowing the attacker to fool the web server into executing arbitrary code.
Privilege Escalation
Privilege Escalation attacks seek to increase the level of access that an attacker has to a target system.
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page. A malicious individual could embed form input in a link to a legitimate website.
Request Forgery Attacks
Request Forgery Attacks exploit trust relationships and attempt to have users unwittingly execute commands against a remote server.
Cross-Site Request Forgery (XSRF)
Cross-Site Request Forgery (XSRF) attacks work by making the reasonable assumption that users are often logged into many different websites simultaneously. Attackers will embed code in one website that sends a command to a second website (that the user is already presumably logged into).
Input Validation
Input Validation is the process of handling user input and ensuring that it fits an appropriate pattern before sending the input to the next step. For web applications, input validation should always be performed server-side.
Web-Application Firewall (WAF)
Web-Application Firewalls (WAFs) function similarly to network firewalls, but they work at the Application layer. A WAF sits in front of a web server, and receives all network traffic headed to that server, performing its own input validation on the data before sending it along to the web server.
Sandboxing
Sandboxing is the practice of running an application in a controlled or isolated environment to prevent it from interacting negatively with other system resources or applications.
Code Repositories
Code Repositories are centralized locations for the storage and management of application source code.
Code Signing
Code Signing provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key and then browsers can use the developer’s public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals.
Scalability
Scalability says that applications should be designed so that computing resources they require may be incrementally added to support increasing demand.
Elasticity
Elasticity says that applications should be able to provision resources automatically to scale when necessary and then automatically deprovision those resources to reduce capacity when it is no longer needed.
Race Condition
Race Conditions occur when the security of a code segment depends upon the sequence of events occurring within a system.
Security Orchestration, Automation and Response (SOAR)
SOAR platforms provide many opportunities to automate security tasks that cross between multiple systems. Cybersecurity professionals can also use scripting languages such as Python, Bash or PowerShell to achieve their automation goals.
What are some of the potential challenges that might arise during the implementation of automation?
- Complexity
- Cost
- Single point of failure
- Technical debt
- Ongoing supportability
What are some of the common use cases for automation and scripting?
- User provisioning
- Resource provisioning
- Guard rails (prevent violation of security protocols)
- Security groups
- Ticket creation
- Escalation
- Enabling/disabling services and access
- Continuous integration and testing
- Integrations and APIs
What are some benefits of automation and scripting?
- Achieving efficiency and time savings
- Enforcing baselines
- Standardizing infrastructure configurations
- Scaling in a secure manner
