Chapter 7 Flashcards

Question

Analyzing and Reviewing Code

Answer 1

Static code analysis. Static code analysis examines the code without executing it. Manual code review someone goes through the code line by line other than the programmer. Dynamic code analysis Dynamic code analysis checks the code as it is running. A common method is to use fuzzing. Fuzzing uses a computer program to send random data to an application. In some cases, the random data can crash the program or create unexpected results, indicating a vulnerability. Sandboxing Sandboxing is used to test applications within an isolated area specifically created for testing. Virtual machines (VMs) are often used for sandboxing. Package monitoring . Every developer uses code written by others, t’s important to monitor the use of these shared packages throughout your organization. When vulnerabilities arise in code written by others, you will need the ability to identify all cases where the affected packages were used and patch them. Static code analysis examines the code without running it. In a manual review, a developer goes through the code line by line, looking for vulnerabilities. Dynamic code analysis checks the code while it is running. Fuzzing techniques send random strings of data to applications looking for vulnerabilities.

Answer 2

Software version control tracks the versions of software as it is updated, including who made the update and when. Many advanced software development tools include sophisticated version control systems. Developers check out the code to work on it and check it back into the system when they’re done. The version control system can then document every single change made by the developer. Even better, this version control process typically allows developers to roll back changes to a previous version when necessary. Effective version control processes also help eliminate unauthorized changes. If developers can make changes that aren’t tracked, they can easily cause unintended problems.

Answer 3

Development. In the development stage, software developers use an isolated development environment to create the application. It’s isolated from a production environment to ensure that any bugs don’t impact other systems. This typically includes version and change controls to track the application development. Test. The Testers put the application through its paces and attempt to discover any bugs or errors in the testing stage. The testing environment typically doesn’t simulate a full production environment but instead includes enough hardware and software to test software modules. Staging. The staging environment simulates the production environment and is used for late-stage testing. It provides a complete but independent copy of the production environment. It attempts to discover any bugs that might adversely impact the live environment. Production. In the production stage, the application goes live as the final product. It includes everything needed to support the application and allow customers to use it. In this example, it would include the live web server, possibly a back-end database server, and Internet access. Quality assurance (QA). Quality assurance is an ongoing process used throughout the lifetime of the project from the development stage and after it is deployed. It helps ensure that an application maintains a high level of quality and meets the original requirements. Some organizations follow specific standards used for quality assurance, such as those published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

Answer 4

Attackers use SQL injection attacks to pass queries to back-end databases through web servers. Many SQL injection attacks use the code ' or 1=1 to trick the database server into providing information. Input validation techniques and stored procedures help prevent SQL injection attacks. Many SQL injection attacks use the code ' or 1=1 to trick the database server into providing information.

Answer 5

Web server logs typically log activity on the server. These web server logs will show normal activity, such as HTTP requests from users and the server’s responses. If your organization owns or controls the server, administrators will have access to the web server logs. However, administrators can’t examine logs of servers owned by others. As an example, you can’t access logs of

Answer 6

A memory leak is a bug in a computer application that causes the application to consume more and more memory the longer it runs. In extreme cases, the application can consume so much memory that the operating system crashes. Memory leaks are typically caused by an application that reserves memory for short-term use but never releases it. For example, imagine a web application that collects user profile data to personalize users’ browsing experiences. However, it collects this data every time a user accesses a webpage, and it never releases the memory used to store the data. An initial indicator of a memory leak is a system running slower and slower until it is rebooted. It’s possible to detect memory leaks by looking at the memory usage per application in operating system tools, such as the Windows Task Manager.

Answer 7

A buffer overflow occurs when an application receives more input, or different input, than it expects. The result is an error that exposes system memory that would otherwise be protected and inaccessible. Normally, an application will have access only to a specific area of memory, called a buffer. The buffer overflow allows access to memory locations beyond the application’s buffer, enabling an attacker to write malicious code into this memory area. The buffer overflow exposes a vulnerability, but it doesn’t necessarily cause damage by itself. However, once attackers discover the vulnerability, they exploit it and overwrite memory locations with their own code.

Answer 8

The buffer overflow exposes a vulnerability, but it doesn’t necessarily cause damage by itself. However, once attackers discover the vulnerability, they exploit it and overwrite memory locations with their own code. This technique is known as memory injection.

Answer 9

An integer overflow occurs if an application receives a numeric value that is too big for the application to handle. The result is that the application gives inaccurate results. Remember Buffer overflows occur when an application receives more data than it can handle or receives unexpected data that exposes system memory. Buffer overflow attacks often include NOP instructions (such as 0x90) followed by malicious code. When successful, the attack causes the system to execute the malicious code. Input validation helps prevent buffer overflow attacks.

Answer 10

Applications commonly use a dynamic link library. A DLL is a compiled set of code that an application can use without re-creating the code. DLL injection is an attack that injects a DLL into a system’s memory and causes it to run.

Answer 11

LDAP Injection An LDAP injection attack is sometimes possible when a web application is used to query an LDAP-based database. The best way to prevent this is by validating the input before using it, as discussed in the previous “Input Validation” section.

Answer 12

A primary indicator of XML injection is the creation of unwanted accounts, but it may take detailed logging and auditing to discover this. The best thing to do is to prevent XML injection with strong input validation.

Answer 13

Directory traversal is a specific type of injection attack that attempts to access a file by including the full directory path or traversing the directory structure on a computer. If the web server doesn’t block the use of directory navigation commands and the file system isn’t secured to prevent this access, the server may display the /etc/passwd file to the attacker.

Answer 14

Cross-site scripting (XSS) is a web application vulnerability that allows attackers to inject scripts into webpages. This generally occurs in one of two ways: Reflected XSS or non-persistent. This starts by an attacker crafting a malicious email and then encouraging a user to click it. The malicious URL is often placed within a phishing email, but it could also be placed on a public website, such as a link within a comment. When the user clicks the malicious URL, it sends an HTTP request to a server. This request includes malicious code, and the server sends it back to the user in the HTTP response. Stored XSS or persistent. Instead of the user sending the malicious code to the server, it is stored in a database or other location trusted by the web application. The web application can retrieve the malicious code later, such as when an administrator logs on to the website.

Answer 15

User provisioning: Automating the process of creating, updating, and removing user accounts and permissions ensures that access control is maintained efficiently and securely. This can help prevent unauthorized access and maintain the principle of least privilege. Resource provisioning: Automation can be used to create, configure, and decommission resources such as virtual machines, storage, and networks. This helps maintain a standardized, secure environment while reducing the potential for human error and configuration drift. Guardrails Guardrails: Automated guardrails can be put in place to enforce security policies and ensure that security best practices are consistently followed throughout the organization. Security groups: Automation can be used to manage security groups, ensuring that access controls are consistently applied to network resources and that they are updated as needed to address changes in the threat landscape. Ticket creation: Automated ticket creation can be used to streamline incident response processes, ensuring that issues are quickly reported and assigned to the appropriate teams for resolution. Escalation: Automation can be used to escalate security incidents or events to the appropriate personnel or teams based on predetermined criteria, improving response times, and reducing the potential impact of security threats. Enabling/disabling services and access: Automation can be employed to enable or disable services and access based on various criteria, such as user roles, security policies, or risk assessments. This can help maintain a secure environment by limiting unnecessary access and reducing potential attack surfaces. Continuous integration and testing: Automation is crucial for continuous integration and testing processes, which help ensure that code is consistently reviewed, tested, and deployed in a secure manner. This can help prevent the introduction of security vulnerabilities and maintain compliance with security standards. Integrations and Application programming interfaces (APIs): Automation can be used to integrate various security tools and platforms, allowing them to work together more effectively and share information in real-time. APIs can be employed to enable these integrations, allowing for the secure exchange of data and streamlining security operations. Remember This! The common use cases for automation and scripting in security operations are user provisioning, resource provisioning, guardrails, security groups, ticket creation, escalation, enabling/disabling services and access, continuous integration and testing, and the use of APIs to create integrations.

Answer 16

Efficiency/time saving: Automation and scripting can significantly reduce the time required for various tasks, from provisioning resources to responding to security incidents. This allows IT and security teams to focus on more strategic and high-value activities. Enforcing baselines: Automation enables the consistent enforcement of security baselines and policies across an organization’s infrastructure. This helps ensure that all systems and applications are configured in a secure manner and that any deviations are quickly addressed. Standard infrastructure configurations: By automating the deployment and management of infrastructure components, organizations can maintain standard configurations that adhere to security best practices. This reduces the risk of misconfigurations and vulnerabilities resulting from manual processes. Scaling in a secure manner: Automation and scripting allow organizations to scale their operations securely and efficiently. As the number of systems and users grows, automated processes can ensure that security measures are consistently applied and maintained. Employee retention Employee retention: Automating repetitive and time-consuming tasks can increase job satisfaction by enabling employees to focus on more engaging and strategic work. This can contribute to higher employee retention rates and a more motivated workforce. Reaction time, Automation can help improve an organization’s reaction time vulnerabilities. Automated processes can quickly detect, report, and address issues, minimizing the potential impact and reducing the time it takes to respond. Workforce multiplier manage more systems and processes without the need for additional personnel. This can result in cost savings and a more efficient allocation of resources. Remember This! The key benefits of automation and scripting in security operations include improved efficiency and time saving, consistent enforcement of baselines, standardized infrastructure configurations, secure scaling, increased employee retention, faster reaction times, and serving as a workforce multiplier.