Chapter 6 - Application Security

Question 1

Software Development Life Cycle (SDLC)

Answer 1

The SDLC describes the steps in a model for software development throughout its life.

Question 2

What are the main steps of the Software Development Life Cycle?

Answer 2

1. Planning
2. Requirements
3. Design
4. Coding
5. Testing
6. Training and Transition
7. Ongoing Operations and Maintenance
8. End of Life Decommissioning

Question 3

What are the four most common types of Code Deployment Environments?

Answer 3

1. Development Environment
2. Test Environment
3. Staging Environment
4. Production Environment

Question 4

DevOps

Answer 4

DevOps combines software development and IT operations with the goal of optimizing the SDLC. This is done by using collections of tools called toolchains to improve the SDLC processes.

Question 5

Continuous Integration (CI)

Answer 5

Continuous Integration (CI) is a development practice that consistently checks code into a shared repository. The main goal of this approach is to enable the use of automation and scripting to implement automated courses of action that result in continuous delivery of code.

Question 6

Continuous Deployment/Delivery (CD)

Answer 6

Continuous Deployment (CD) rolls out tested changes into production automatically as soon as they have been tested. Using continuous integration and continuous deployment methods requires building continuous validation and automated security testing into the pipeline testing process.

Question 7

Application Programming Interfaces (API)

Answer 7

APIs are interfaces between clients and servers or applications and operating systems that define how the client should ask for information from the server and how the server will respond.

Question 8

Static Code Analysis

Answer 8

Static Code Analysis is conducted by reviewing the code for an application. Static Analysis does not run the program; instead, it focuses on understanding how the program is written and what the code is intended to do.

Question 9

Dynamic Code Analysis

Answer 9

Dynamic Code Analysis relies on execution of the code while providing it with input to test the software. Automated dynamic analysis will run all of the interfaces that the code exposes to the user with a variety of inputs, searching for vulnerabilities.

Question 10

Fuzzing

Answer 10

Fuzzing involves sending invalid or random data to an application to test its ability to handle unexpected data. The application is monitored to determine if it crashes, fails or responds in an incorrect manner.

Question 11

Injection Vulnerabilities

Answer 11

Injection Vulnerabilities allow an attacker to supply some type of code to the web application as input and trick the web server into either executing that code or supplying it to another server to execute.

Question 12

Blind Content-Based SQL Injection

Answer 12

In a Blind Content-Based SQL Injection attack, the perpetrator sends input to the web application that tests whether the application is interpreting injected code before attempting to carry out an attack.

Question 13

Blind Timing-Based SQL Injection

Answer 13

In a Blind Timing-Based SQL Injection attack, the amount of time required to process a query is used as a channel for retrieving information from a database.

Question 14

Session Hijacking

Answer 14

Session Hijacking attacks take over an already authenticated session with a website/application. An attacker can steal a cookie managed by the target user’s web browser to impersonate them and gain access.

Question 15

Unvalidated Redirects

Answer 15

Unvalidated Redirects allow an attacker to redirect the user to a malicious site. Some web applications allow the browser to pass destination URLs to the application and then redirect the user to that URL at the completion of their transaction.

Question 16

Insecure Direct Object Reference

Answer 16

Insecure Direct Object References allow users to view information that exceeds their authority. These attacks can occur when a web application does not perform authorization checks for each request.

Question 17

Directory Traversal

Answer 17

Directory Traversal attacks work when web servers allow the inclusion of operators that navigate directory paths and filesystem access controls don’t properly restrict access to files stored elsewhere on the server.

Question 18

File Inclusion Attacks

Answer 18

File Inclusion Attacks execute the code contained within a file, allowing the attacker to fool the web server into executing arbitrary code.

Question 19

Privilege Escalation

Answer 19

Privilege Escalation attacks seek to increase the level of access that an attacker has to a target system.

Question 20

Cross-Site Scripting (XSS)

Answer 20

Cross-Site Scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page. A malicious individual could embed form input in a link to a legitimate website.

Question 21

Request Forgery Attacks

Answer 21

Request Forgery Attacks exploit trust relationships and attempt to have users unwittingly execute commands against a remote server.

Question 22

Cross-Site Request Forgery (XSRF)

Answer 22

Cross-Site Request Forgery (XSRF) attacks work by making the reasonable assumption that users are often logged into many different websites simultaneously. Attackers will embed code in one website that sends a command to a second website (that the user is already presumably logged into).

Question 23

Input Validation

Answer 23

Input Validation is the process of handling user input and ensuring that it fits an appropriate pattern before sending the input to the next step. For web applications, input validation should always be performed server-side.

Question 24

Web-Application Firewall (WAF)

Answer 24

Web-Application Firewalls (WAFs) function similarly to network firewalls, but they work at the Application layer. A WAF sits in front of a web server, and receives all network traffic headed to that server, performing its own input validation on the data before sending it along to the web server.

Question 25

Sandboxing

Answer 25

Sandboxing is the practice of running an application in a controlled or isolated environment to prevent it from interacting negatively with other system resources or applications.

Question 26

Code Repositories

Answer 26

Code Repositories are centralized locations for the storage and management of application source code.

Question 27

Code Signing

Answer 27

Code Signing provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key and then browsers can use the developer’s public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals.

Question 28

Scalability

Answer 28

Scalability says that applications should be designed so that computing resources they require may be incrementally added to support increasing demand.

Question 29

Elasticity

Answer 29

Elasticity says that applications should be able to provision resources automatically to scale when necessary and then automatically deprovision those resources to reduce capacity when it is no longer needed.

Question 30

Race Condition

Answer 30

Race Conditions occur when the security of a code segment depends upon the sequence of events occurring within a system.

Question 31

Security Orchestration, Automation and Response (SOAR)

Answer 31

SOAR platforms provide many opportunities to automate security tasks that cross between multiple systems. Cybersecurity professionals can also use scripting languages such as Python, Bash or PowerShell to achieve their automation goals.

Question 32

What are some of the potential challenges that might arise during the implementation of automation?

Answer 32

1. Complexity
2. Cost
3. Single point of failure
4. Technical debt
5. Ongoing supportability

Question 33

What are some of the common use cases for automation and scripting?

Answer 33

1. User provisioning
2. Resource provisioning
3. Guard rails (prevent violation of security protocols)
4. Security groups
5. Ticket creation
6. Escalation
7. Enabling/disabling services and access
8. Continuous integration and testing
9. Integrations and APIs

Question 34

What are some benefits of automation and scripting?

Answer 34

1. Achieving efficiency and time savings
2. Enforcing baselines
3. Standardizing infrastructure configurations
4. Scaling in a secure manner