Chapter 9 Flashcards

1
Q

Continuous Integration

A

is a development practice that checks code into a shared repository on a consistent ongoing basis. In continuous integration environments, this can range from a few times a day to a very frequent process of check-ins and automated builds.
Since continuous integration relies on an automated build process, it also requires automated testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Continuous Deployment

A

Which rolls out tested changes into production automatically as soon as they have been tested.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Improper Error Handling

A

Which often results in error messages that shouldn’t be exposed outside of a secure environment being accessible to attackers or the general public. Since errors often include detailed information about what is going on at the moment the error occurs, attackers can use them to learn about the application, databases, or even to get stack trace information providing significant detail they can leverage in further attacks. Errors that don’t appear to provide detailed information can still allow attackers to learn more about the application, as differing responses can give attackers clues about how successful their efforts are. As a security practitioner, you should pay careful attention to application vulnerability reports that show accessible error messages, as well as the content of those messages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Dereferencing

A

Issues are often due to null pointer dereferences. This means that a pointer with a value of NULL (in other words, one that isn’t set) is used as though it contains an expected value. This type of error almost always leads to a crash unless caught by an error handler. Race conditions, like those mentioned in a moment, are also a common place to find a dereferencing issue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Insecure Object References

A

occur when applications expose information about internal objects, allowing attackers to see how the object is identified and stored in a backend storage system. Once an attacker knows that, they may be able to leverage the information to gain further access, or to make assumptions about other data objects that they cannot view in this way.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Race Conditions

A

Rely on timing. An application that needs to take action on an object may be sensitive to what is occurring or has occurred to that object. Although race conditions are not always reliable, they can be very powerful, and repeated attacks against a race condition can result in attackers succeeding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Broken Authentication

A

Is exactly what it sounds like. Improperly implemented authentication may allow attackers who are not logged in, or who are not logged in as a user with the correct rights, access to resources. Implementing a strong and reliable authentication (and authorization!) system is an important part of application coding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Sensitive Data Exposure

A

May occur when any of a number of flaws are exploited. The simplest version of this is when the application does not properly protect sensitive data, allowing attackers to access it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Insecure Components

A

Include a broad range of issues introduced when a component of an application or service is vulnerable and thus it introduces that vulnerability to the application. Understanding all of the components and modules that make up an application is critical to determining whether it may have known vulnerabilities that exist due to those components.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Insufficient logging and monitoring

A

Will result in being unable to determine what occurred when something does go wrong. Part of a strong security design is determining what should be logged and monitored, ensuring that it is appropriately captured, and then building processes and systems to handle those logs and events so that the right thing happens when they occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Weak or default configurations

A

Are common when applications and services are not properly set up or when default settings are used. One common example of this is using a default password for a service or database connection. Many application vulnerability scanners look for these default configurations, making it even easier for attackers to find them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Use of insecure functions

A

Can make it much harder to secure code. Functions like strcpy, which don’t have critical security features built in, can result in code that is easier for attackers to target. In fact, strcpy is the only specific function that the CySA+ objectives call out, likely because of how commonly it is used for buffer overflow attacks in applications written in C.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

strcpy

A

Allows data to be copied without caring whether the source is bigger than the destination. If this occurs, attackers can place arbitrary data in memory locations past the original destination, possibly allowing a buffer overflow attack to succeed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Mobile Platforms

A

Have their own operating systems, and their own platform security controls. They also have their own security tools like the iOS Keychain and Face ID. They store data in ways that can be specific to the device, with Android devices often offering both on-board storage and storage via microSD cards, which can make tampering easier for attackers. Most of the common issues for mobile platforms, however, are similar to those found in other platforms. As of this writing, OWASP’s most recent mobile vulnerability list includes insecure communication, insecure authentication and authorization, insufficient cryptography, code quality, and reverse engineering—all issues with other platforms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Embedded Systems

A

Computer systems that are part of a larger system with a small number of dedicated functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

System-on-chip (SoC)

A

Which embed a complete computer in a chip, can provide additional security because they’re not as accessible, but that often comes with less frequent updates or an inability to update them easily.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Client-Server Model

A

In this model, clients (web browsers, applications, or other clients) communicate with one or more servers that provide information to them. Web applications work this way, and security practitioners need to understand that attacks may be conducted against the clients, against the network, against the traffic sent between the client and server, and against the server itself. Thus, the attack surface of a client-server application is broad, and appropriate security measures must be implemented for each component.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Firmware

A

Is the embedded software used by a computer or hardware device. Firmware flaws can be hard to fix, since not all devices are designed to update their firmware. Attackers who want to target firmware will often seek to acquire a copy of the firmware, either by directly connecting to the device and downloading it or by acquiring the firmware itself from a download site or other means. After that, standard reverse engineering and other software exploitation techniques can be applied to it to identify flaws that may be worth exploiting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Risk Assessment

A

Is important to understand what risks the application faces and how to prioritize remediation of those issues. Continuous assessment is recommended for applications using regularly scheduled testing tools that can inform the application risk assessment process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Input Validation

A

helps prevent a wide range of problems, from cross-site scripting (XSS) to SQL injection attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Output Encoding

A

Translates special characters into an equivalent but safe version before a target application or interpreter reads it. This helps to prevent XSS attacks by preventing special characters from being inserted that cause the target application to perform an action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

WAF

A

Can prevent attacks against vulnerable applications and offer a line of defense for applications that don’t have an available patch or that cannot be taken offline for patching.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Error message management

A

Particularly ensuring that error messages do not leak information, is important to ensure that attackers can’t use error messages to learn about your applications or systems.

24
Q

Database Security

A

At both the application and database can help ensure that data leaks don’t occur.

25
Q

Parameterized Queries

A

Which are precompiled SQL that takes input variables before it is executed. This helps prevent SQL injection attacks.

26
Q

Data Protection

A

Securing Sensitive Information by encrypting it or storing it using appropriate secure mechanisms (like password hashes for passwords) helps ensure that a breach of a system does not result in broader issues.

27
Q

Ensuring Availability

A

by performing load and stress testing and designing the application infrastructure to be scalable can prevent outages and may limit the impact of denial-of-service attacks.

28
Q

Monitoring and logging

A

should be enabled, centralized, and set to identify both application and security issues.

29
Q

Authentication

A

Limits access to applications to only authenticated users or systems

30
Q

MFA

A

Helps limit the impact of credential compromise

31
Q

Secure Session Management

A

Ensure that attackers cannot hijack user sessions or that session issues don’t cause confusion among users

32
Q

Cookie Management

A

is important for web applications that rely on cookie-based information.

33
Q

Secure all network traffic

A

Encryption of all traffic is a viable option with modern hardware, and it prevents network-based attacks from easily capturing data that could be sensitive.

34
Q

API

A

Are interfaces between clients and servers or applications and operating systems that define how the client should ask for information from the server and how the server will respond.

35
Q

Service-Oriented Architecture (SOA)

A

Is a software design that provides services to components of a system or service via communication protocols on a network. The intent of a SOA design is to allow loosely coupled components to communicate in a standardized way, allowing them to consume and provide data to other components. Developers abstract the service, hiding the complexity of the service and its inner workings, instead providing ways to access the data. Typical components of a service-oriented architecture include service providers, service registries or service brokers that provide listings and information about service providers, and consumers who access the services.

36
Q

Simple Object Access Protocol (SOAP)

A

Is an XML-based messaging protocol that was frequently used for web services. SOAP defines how messages should be formatted and exchanged, how transport of the messages occurs, as well as models for processing them. Like other XML-based protocols, SOAP is extensible, so it can be customized as needed.

37
Q

RESTful HTTP

A

Has largely supplanted SOAP in many use cases because of its greater flexibility. REST APIs follow six architectural constraints: they use a uniform interface, they separate clients and servers, they are stateless (in other words they don’t use server-side sessions), they mark whether server responses are cacheable, they are designed to allow layering of services between clients and servers, and they may include client executable code in their responses.

38
Q

Pair Programming

A

Is an Agile software development technique that places two developers at one workstation. One developer writes code, while the other developer reviews their code as they write it. This is intended to provide real-time code review, and it ensures that multiple developers are familiar with the code that is written. In most pair programming environments, the developers are expected to change roles frequently, allowing both of them to spend time thinking about the code while at the keyboard and to consider the design and any issues in the code while reviewing it.

39
Q

Over-the-shoulder code review

A

Also relies on a pair of developers, but rather than requiring constant interaction and hand-offs, over-the-shoulder requires the developer who wrote the code to explain the code to the other developer. This allows peer review of code and can also assist developers in understanding how the code works, without the relatively high cost of pair programming.

40
Q

Pass-around code review

A

Sometimes known as email pass-around code review, is a form of manual peer review done by sending completed code to reviewers who check the code for issues. Pass-around reviews may involve more than one reviewer, allowing reviewers with different expertise and experience to contribute their expertise. Although pass-around reviews allow more flexibility in when they occur than an over-the-shoulder review, they don’t provide the same easy opportunity to learn about the code from the developer who wrote it that over-the-shoulder and pair programming offer, making documentation more important.

41
Q

Tool-assisted code review

A

Rely on formal or informal software-based tools to conduct code reviews. Tools like Atlassian’s Crucible collaborative code review tool, Codacy’s static code review tool, and Phabricator’s Differential code review tool are all designed to improve the code review process. The wide variety of tools used for code review reflects not only the multitude of software development life cycle options but also how organizations set up their design and review processes.

42
Q

Tool-assisted code reviews

A

Rely on formal or informal software-based tools to conduct code reviews. Tools like Atlassian’s Crucible collaborative code review tool, Codacy’s static code review tool, and Phabricator’s Differential code review tool are all designed to improve the code review process. The wide variety of tools used for code review reflects not only the multitude of software development life cycle options but also how organizations set up their design and review processes.

43
Q

Fagan Inspection

A

Is a form of structured, formal code review intended to find a variety of problems during the development process. Fagan inspection specifies entry and exit criteria for processes, ensuring that a process is not started before appropriate diligence has been performed, and also making sure that there are known criteria for moving to the next phase.

44
Q

Fuzzing

A

Invovles sending invalid or random data to an application to test its ability to handle unexpected data

45
Q

Regression Testing

A

Focuses on testing to ensure that changes that have been made do not create new issues. From a security perspective, this often comes into play when patches are installed or when new updates are applied to a system or application.

46
Q

Security Regression Testing

A

Is performed to ensure that no new vulnerabilities, misconfigurations, or other issues have been introduced.

47
Q

Hardware root of trust

A

For a system contains the cryptographic keys that secure the boot process. This means that the system or device inherently trusts the hardware root of trust, and that it needs to be secure!

48
Q

Trusted Platform Module (TPM)

A

Built into computers. TPM chips are frequently used to provide built-in encryption, and they provide three major functions: Remote attestation, allowing hardware and software configurations to be verified.
Binding, which encrypts data.
Sealing, which encrypts data and sets requirements for the state of the TPM chip before decryption.

49
Q

Hardware Security Modules (HSM)

A

Hardware security modules are typically external devices or plug-in cards used to create, store, and manage digital keys for cryptographic functions and authentication, as well as to offload cryptographic processing. HSMs are often used in high-security environments and are normally certified to meet standards like FIPS 140 or Common Criteria standards.

50
Q

Unified Extensible Firmware Interface (UEFI)

A

UEFI provides for the ability to secure boot, which will load only drivers and operating system loaders that have been signed using an accepted digital signature. Since these keys have to be loaded into the UEFI firmware, UEFI security has been somewhat contentious, particularly with the open source community. UEFI remains one way to provide additional security if your organization needs to have a greater level of trust in the software a system is loading.

51
Q

Secure Processing

A

Can mean a number of things, but in the context of hardware security it typically refers to trusted execution environments. Much like other low-level hardware protections, secure processing often starts with boot processes and may include monitoring, privileged execution management, and other protections. Secure processing can leverage or allow access to a trusted execution environment.

52
Q

Processor Security Extensions

A

Exist in many different CPUs, including ARM, Intel, and AMD CPUs. They provide security-related functions implemented in the CPU hardware. Extensions typically recognize secure and nonsecure states and have memory allocated as secure memory, but implementations may vary.

53
Q

Atomic Execution

A

Describes a type of operation during which a processor both reads and writes a location during the same bus operation. Since this happens in the same operation, it prevents other processors or devices from accessing or modifying the location during the operation, helping to ensure the integrity of the operation.

54
Q

Secure Enclaves

A

In modern Apple mobile devices are hardware components that provide cryptographic operations and user authentication, and are designed to remain secure even if the operating system is compromised. They run their own micro-kernel, and their own secure boot process, allowing secure processing separate from the rest of the operating system and CPU. Secure enclaves on Apple devices generate an encryption key at boot, then pair it with a userID to encrypt, validate, and use the secure enclave’s portion of system memory. The secure enclave also handles things like Face ID, allowing authentication to be handled in a secure partition.

55
Q

Anti-Tamper

A

Protection comes in many varieties from mechanical means like anti-tamper screws and holographic stickers to electronic detection methods. Tamper-proofing microprocessors often takes the form of encasing electronics or otherwise securing them, while attackers use techniques like physically probing or modifying them, freezing devices, and applying out-of-spec power or signals.

56
Q

Self-Encrypting Drives (SEDs)

A

Provide built-in encryption capabilities. When the drive needs to be accessed, the user must present a cryptographic key. Once the key is provided, the drive is unlocked and accessible, transparently encrypting and decrypting data as it is needed. This means that if the drive is removed or the key is not available, all of the contents of the drive will remain encrypted and secure.

57
Q

Bus Encryption

A

Is used to protect data traveling inside as system or device. Bus encryption relies on built-in cryptographic processing capabilities to secure information as it flows from one component to another, often from the CPU to other elements of the device. Using an encrypted bus can protect data that is being processed and help to prevent reverse engineering efforts conducted against the hardware or CPU.