Chapter 9

Question 1

Continuous Integration

Answer 1

is a development practice that checks code into a shared repository on a consistent ongoing basis. In continuous integration environments, this can range from a few times a day to a very frequent process of check-ins and automated builds.
Since continuous integration relies on an automated build process, it also requires automated testing.

Question 2

Continuous Deployment

Answer 2

Which rolls out tested changes into production automatically as soon as they have been tested.

Question 3

Improper Error Handling

Answer 3

Which often results in error messages that shouldn’t be exposed outside of a secure environment being accessible to attackers or the general public. Since errors often include detailed information about what is going on at the moment the error occurs, attackers can use them to learn about the application, databases, or even to get stack trace information providing significant detail they can leverage in further attacks. Errors that don’t appear to provide detailed information can still allow attackers to learn more about the application, as differing responses can give attackers clues about how successful their efforts are. As a security practitioner, you should pay careful attention to application vulnerability reports that show accessible error messages, as well as the content of those messages.

Question 4

Dereferencing

Answer 4

Issues are often due to null pointer dereferences. This means that a pointer with a value of NULL (in other words, one that isn’t set) is used as though it contains an expected value. This type of error almost always leads to a crash unless caught by an error handler. Race conditions, like those mentioned in a moment, are also a common place to find a dereferencing issue.

Question 5

Insecure Object References

Answer 5

occur when applications expose information about internal objects, allowing attackers to see how the object is identified and stored in a backend storage system. Once an attacker knows that, they may be able to leverage the information to gain further access, or to make assumptions about other data objects that they cannot view in this way.

Question 6

Race Conditions

Answer 6

Rely on timing. An application that needs to take action on an object may be sensitive to what is occurring or has occurred to that object. Although race conditions are not always reliable, they can be very powerful, and repeated attacks against a race condition can result in attackers succeeding.

Question 7

Broken Authentication

Answer 7

Is exactly what it sounds like. Improperly implemented authentication may allow attackers who are not logged in, or who are not logged in as a user with the correct rights, access to resources. Implementing a strong and reliable authentication (and authorization!) system is an important part of application coding.

Question 8

Sensitive Data Exposure

Answer 8

May occur when any of a number of flaws are exploited. The simplest version of this is when the application does not properly protect sensitive data, allowing attackers to access it.

Question 9

Insecure Components

Answer 9

Include a broad range of issues introduced when a component of an application or service is vulnerable and thus it introduces that vulnerability to the application. Understanding all of the components and modules that make up an application is critical to determining whether it may have known vulnerabilities that exist due to those components.

Question 10

Insufficient logging and monitoring

Answer 10

Will result in being unable to determine what occurred when something does go wrong. Part of a strong security design is determining what should be logged and monitored, ensuring that it is appropriately captured, and then building processes and systems to handle those logs and events so that the right thing happens when they occur.

Question 11

Weak or default configurations

Answer 11

Are common when applications and services are not properly set up or when default settings are used. One common example of this is using a default password for a service or database connection. Many application vulnerability scanners look for these default configurations, making it even easier for attackers to find them.

Question 12

Use of insecure functions

Answer 12

Can make it much harder to secure code. Functions like strcpy, which don’t have critical security features built in, can result in code that is easier for attackers to target. In fact, strcpy is the only specific function that the CySA+ objectives call out, likely because of how commonly it is used for buffer overflow attacks in applications written in C.

Question 13

strcpy

Answer 13

Allows data to be copied without caring whether the source is bigger than the destination. If this occurs, attackers can place arbitrary data in memory locations past the original destination, possibly allowing a buffer overflow attack to succeed.

Question 14

Mobile Platforms

Answer 14

Have their own operating systems, and their own platform security controls. They also have their own security tools like the iOS Keychain and Face ID. They store data in ways that can be specific to the device, with Android devices often offering both on-board storage and storage via microSD cards, which can make tampering easier for attackers. Most of the common issues for mobile platforms, however, are similar to those found in other platforms. As of this writing, OWASP’s most recent mobile vulnerability list includes insecure communication, insecure authentication and authorization, insufficient cryptography, code quality, and reverse engineering—all issues with other platforms.

Question 15

Embedded Systems

Answer 15

Computer systems that are part of a larger system with a small number of dedicated functions

Question 16

System-on-chip (SoC)

Answer 16

Which embed a complete computer in a chip, can provide additional security because they’re not as accessible, but that often comes with less frequent updates or an inability to update them easily.

Question 17

Client-Server Model

Answer 17

In this model, clients (web browsers, applications, or other clients) communicate with one or more servers that provide information to them. Web applications work this way, and security practitioners need to understand that attacks may be conducted against the clients, against the network, against the traffic sent between the client and server, and against the server itself. Thus, the attack surface of a client-server application is broad, and appropriate security measures must be implemented for each component.

Question 18

Firmware

Answer 18

Is the embedded software used by a computer or hardware device. Firmware flaws can be hard to fix, since not all devices are designed to update their firmware. Attackers who want to target firmware will often seek to acquire a copy of the firmware, either by directly connecting to the device and downloading it or by acquiring the firmware itself from a download site or other means. After that, standard reverse engineering and other software exploitation techniques can be applied to it to identify flaws that may be worth exploiting.

Question 19

Risk Assessment

Answer 19

Is important to understand what risks the application faces and how to prioritize remediation of those issues. Continuous assessment is recommended for applications using regularly scheduled testing tools that can inform the application risk assessment process.

Question 20

Input Validation

Answer 20

helps prevent a wide range of problems, from cross-site scripting (XSS) to SQL injection attacks.

Question 21

Output Encoding

Answer 21

Translates special characters into an equivalent but safe version before a target application or interpreter reads it. This helps to prevent XSS attacks by preventing special characters from being inserted that cause the target application to perform an action.

Question 22

WAF

Answer 22

Can prevent attacks against vulnerable applications and offer a line of defense for applications that don’t have an available patch or that cannot be taken offline for patching.

Question 23

Error message management

Answer 23

Particularly ensuring that error messages do not leak information, is important to ensure that attackers can’t use error messages to learn about your applications or systems.

Question 24

Database Security

Answer 24

At both the application and database can help ensure that data leaks don’t occur.

Question 25

Parameterized Queries

Answer 25

Which are precompiled SQL that takes input variables before it is executed. This helps prevent SQL injection attacks.

Question 26

Data Protection

Answer 26

Securing Sensitive Information by encrypting it or storing it using appropriate secure mechanisms (like password hashes for passwords) helps ensure that a breach of a system does not result in broader issues.

Question 27

Ensuring Availability

Answer 27

by performing load and stress testing and designing the application infrastructure to be scalable can prevent outages and may limit the impact of denial-of-service attacks.

Question 28

Monitoring and logging

Answer 28

should be enabled, centralized, and set to identify both application and security issues.

Question 29

Authentication

Answer 29

Limits access to applications to only authenticated users or systems

Question 30

MFA

Answer 30

Helps limit the impact of credential compromise

Question 31

Secure Session Management

Answer 31

Ensure that attackers cannot hijack user sessions or that session issues don’t cause confusion among users

Question 32

Cookie Management

Answer 32

is important for web applications that rely on cookie-based information.

Question 33

Secure all network traffic

Answer 33

Encryption of all traffic is a viable option with modern hardware, and it prevents network-based attacks from easily capturing data that could be sensitive.

Question 34

API

Answer 34

Are interfaces between clients and servers or applications and operating systems that define how the client should ask for information from the server and how the server will respond.

Question 35

Service-Oriented Architecture (SOA)

Answer 35

Is a software design that provides services to components of a system or service via communication protocols on a network. The intent of a SOA design is to allow loosely coupled components to communicate in a standardized way, allowing them to consume and provide data to other components. Developers abstract the service, hiding the complexity of the service and its inner workings, instead providing ways to access the data. Typical components of a service-oriented architecture include service providers, service registries or service brokers that provide listings and information about service providers, and consumers who access the services.

Question 36

Simple Object Access Protocol (SOAP)

Answer 36

Is an XML-based messaging protocol that was frequently used for web services. SOAP defines how messages should be formatted and exchanged, how transport of the messages occurs, as well as models for processing them. Like other XML-based protocols, SOAP is extensible, so it can be customized as needed.

Question 37

RESTful HTTP

Answer 37

Has largely supplanted SOAP in many use cases because of its greater flexibility. REST APIs follow six architectural constraints: they use a uniform interface, they separate clients and servers, they are stateless (in other words they don’t use server-side sessions), they mark whether server responses are cacheable, they are designed to allow layering of services between clients and servers, and they may include client executable code in their responses.

Question 38

Pair Programming

Answer 38

Is an Agile software development technique that places two developers at one workstation. One developer writes code, while the other developer reviews their code as they write it. This is intended to provide real-time code review, and it ensures that multiple developers are familiar with the code that is written. In most pair programming environments, the developers are expected to change roles frequently, allowing both of them to spend time thinking about the code while at the keyboard and to consider the design and any issues in the code while reviewing it.

Question 39

Over-the-shoulder code review

Answer 39

Also relies on a pair of developers, but rather than requiring constant interaction and hand-offs, over-the-shoulder requires the developer who wrote the code to explain the code to the other developer. This allows peer review of code and can also assist developers in understanding how the code works, without the relatively high cost of pair programming.

Question 40

Pass-around code review

Answer 40

Sometimes known as email pass-around code review, is a form of manual peer review done by sending completed code to reviewers who check the code for issues. Pass-around reviews may involve more than one reviewer, allowing reviewers with different expertise and experience to contribute their expertise. Although pass-around reviews allow more flexibility in when they occur than an over-the-shoulder review, they don’t provide the same easy opportunity to learn about the code from the developer who wrote it that over-the-shoulder and pair programming offer, making documentation more important.

Question 41

Tool-assisted code review

Answer 41

Rely on formal or informal software-based tools to conduct code reviews. Tools like Atlassian’s Crucible collaborative code review tool, Codacy’s static code review tool, and Phabricator’s Differential code review tool are all designed to improve the code review process. The wide variety of tools used for code review reflects not only the multitude of software development life cycle options but also how organizations set up their design and review processes.

Question 42

Tool-assisted code reviews

Answer 42

Rely on formal or informal software-based tools to conduct code reviews. Tools like Atlassian’s Crucible collaborative code review tool, Codacy’s static code review tool, and Phabricator’s Differential code review tool are all designed to improve the code review process. The wide variety of tools used for code review reflects not only the multitude of software development life cycle options but also how organizations set up their design and review processes.

Question 43

Fagan Inspection

Answer 43

Is a form of structured, formal code review intended to find a variety of problems during the development process. Fagan inspection specifies entry and exit criteria for processes, ensuring that a process is not started before appropriate diligence has been performed, and also making sure that there are known criteria for moving to the next phase.

Question 44

Fuzzing

Answer 44

Invovles sending invalid or random data to an application to test its ability to handle unexpected data

Question 45

Regression Testing

Answer 45

Focuses on testing to ensure that changes that have been made do not create new issues. From a security perspective, this often comes into play when patches are installed or when new updates are applied to a system or application.

Question 46

Security Regression Testing

Answer 46

Is performed to ensure that no new vulnerabilities, misconfigurations, or other issues have been introduced.

Question 47

Hardware root of trust

Answer 47

For a system contains the cryptographic keys that secure the boot process. This means that the system or device inherently trusts the hardware root of trust, and that it needs to be secure!

Question 48

Trusted Platform Module (TPM)

Answer 48

Built into computers. TPM chips are frequently used to provide built-in encryption, and they provide three major functions: Remote attestation, allowing hardware and software configurations to be verified.
Binding, which encrypts data.
Sealing, which encrypts data and sets requirements for the state of the TPM chip before decryption.

Question 49

Hardware Security Modules (HSM)

Answer 49

Hardware security modules are typically external devices or plug-in cards used to create, store, and manage digital keys for cryptographic functions and authentication, as well as to offload cryptographic processing. HSMs are often used in high-security environments and are normally certified to meet standards like FIPS 140 or Common Criteria standards.

Question 50

Unified Extensible Firmware Interface (UEFI)

Answer 50

UEFI provides for the ability to secure boot, which will load only drivers and operating system loaders that have been signed using an accepted digital signature. Since these keys have to be loaded into the UEFI firmware, UEFI security has been somewhat contentious, particularly with the open source community. UEFI remains one way to provide additional security if your organization needs to have a greater level of trust in the software a system is loading.

Question 51

Secure Processing

Answer 51

Can mean a number of things, but in the context of hardware security it typically refers to trusted execution environments. Much like other low-level hardware protections, secure processing often starts with boot processes and may include monitoring, privileged execution management, and other protections. Secure processing can leverage or allow access to a trusted execution environment.

Question 52

Processor Security Extensions

Answer 52

Exist in many different CPUs, including ARM, Intel, and AMD CPUs. They provide security-related functions implemented in the CPU hardware. Extensions typically recognize secure and nonsecure states and have memory allocated as secure memory, but implementations may vary.

Question 53

Atomic Execution

Answer 53

Describes a type of operation during which a processor both reads and writes a location during the same bus operation. Since this happens in the same operation, it prevents other processors or devices from accessing or modifying the location during the operation, helping to ensure the integrity of the operation.

Question 54

Secure Enclaves

Answer 54

In modern Apple mobile devices are hardware components that provide cryptographic operations and user authentication, and are designed to remain secure even if the operating system is compromised. They run their own micro-kernel, and their own secure boot process, allowing secure processing separate from the rest of the operating system and CPU. Secure enclaves on Apple devices generate an encryption key at boot, then pair it with a userID to encrypt, validate, and use the secure enclave’s portion of system memory. The secure enclave also handles things like Face ID, allowing authentication to be handled in a secure partition.

Question 55

Anti-Tamper

Answer 55

Protection comes in many varieties from mechanical means like anti-tamper screws and holographic stickers to electronic detection methods. Tamper-proofing microprocessors often takes the form of encasing electronics or otherwise securing them, while attackers use techniques like physically probing or modifying them, freezing devices, and applying out-of-spec power or signals.

Question 56

Self-Encrypting Drives (SEDs)

Answer 56

Provide built-in encryption capabilities. When the drive needs to be accessed, the user must present a cryptographic key. Once the key is provided, the drive is unlocked and accessible, transparently encrypting and decrypting data as it is needed. This means that if the drive is removed or the key is not available, all of the contents of the drive will remain encrypted and secure.

Question 57

Bus Encryption

Answer 57

Is used to protect data traveling inside as system or device. Bus encryption relies on built-in cryptographic processing capabilities to secure information as it flows from one component to another, often from the CPU to other elements of the device. Using an encrypted bus can protect data that is being processed and help to prevent reverse engineering efforts conducted against the hardware or CPU.