Chapter 9 - Client And Application Securiity

Question 1

BIOS (Basic Input/Output System)

Answer 1

Firmware that wakens and tests the various components of the computer upon startup.

Question 2

UEFI (Unified Extensible Firmware Interface)

Answer 2

A newer mechanism that replaces the BIOS for startup.

Question 3

Secure boot

Answer 3

A standard designed to be used with UEFI to ensure that a computer boots using only software that is trusted by the computer manufacturer.

Question 4

Hardware root of trust

Answer 4

The hardware starting point in a chain of trust.

Question 5

Electromagnetic spying

Answer 5

Picking up on the electromagnetic fields that digital devices produce and reading the data that is producing them.

Question 6

Telecommunications Electronics Material Protected from Emanating Spurious Transmissions (TEMPEST)

Answer 6

A classified standard intended to prevent attackers from picking up electromagnetic fields from government buildings.

Question 7

Supply chain

Answer 7

A network that moves a product from the supplier to the customer.

Question 8

Least functionality

Answer 8

A principle in which a user is given the minimum set of permissions required to perform necessary tasks.

Question 9

Application whitelisting/blacklisting

Answer 9

Creating a list of applications that are permitted (whitelisting) or denied (blacklisting) to run.

Question 10

Patch

Answer 10

A publicly released software security update intended to repair a vulnerability.

Question 11

Antivirus (AV)

Answer 11

Software that can examine a computer for any infections as well as monitor computer activity and scan new documents that might contain a virus.

Question 12

Trusted OS

Answer 12

An operating system that has been designed through OS hardening.

Question 13

Deadbolt lock

Answer 13

A door lock that extends a solid metal bar into the door frame for extra security.

Question 14

Key management

Answer 14

Procedures to regulate the distribution of door keys.

Question 15

Access logs

Answer 15

A paper or electronic record of individuals who have permission to enter a secure area, the time that they entered, and the time they left the area.

Question 16

Mantrap

Answer 16

A device that monitors and controls two interlocking doors to a small room, designed to separate secure and nonsecure areas.

Question 17

Protected distribution system (PDS)

Answer 17

A system of cable conduits that is used to protect classified information being transmitted between two secure areas.

Question 18

Memory leak

Answer 18

A vulnerability that occurs when an application dynamically allocates memory but does not free that memory when finished using it.

Question 19

Pointer deference

Answer 19

A pointer with a value of NULL used as if it pointed to a valid memory area.

Question 20

DLL injection

Answer 20

An attack that inserts code into a running process through a Dynamic Link Library.

Question 21

Development stage

Answer 21

A stage of application development in which the requirements for the application are established and it is confirmed that the application meets the intended business needs before the actual coding begins.

Question 22

Testing stage

Answer 22

A stage in which an application is tested for any errors that could result in a security vulnerability.

Question 23

Staging stage

Answer 23

A stage in application development that performs a quality assurance test to verify that the code functions as intended.

Question 24

Production stage

Answer 24

An application development stage in which the application is released to be used in its actual setting.

Question 25

Application development lifecycle model

Answer 25

A conceptual model that describes the different stages involved in creating an application.

Question 26

Waterfall model

Answer 26

An application development lifecycle model that uses a sequential design process.

Question 27

Agile model

Answer 27

An application development lifecycle model that follows an incremental approach.

Question 28

Secure DevOps

Answer 28

A specific type of software methodology that follows the agile model and heavily incorporates security concepts.

Question 29

Security automation

Answer 29

Tools that test for vulnerabilities.

Question 30

Continuous integration

Answer 30

Ensuring that security features are incorporated at each stage of application development.

Question 31

Immutable systems

Answer 31

Ensuring that once a vale or configuration is employed as part of an application, it is not modified.

Question 32

Infrastructure as code

Answer 32

Managing a hardware and software infrastructure using the same
Principles as developing computer code.

Question 33

Baselining

Answer 33

Creating a starting point for comparison purposes to apply targets and goals to measure success.

Question 34

Provisioning

Answer 34

The enterprise-wide configuration, deployment, and management of multiple types of air system resources.

Question 35

Deprovisioning

Answer 35

Removing a resource that is no longer needed.

Question 36

Change management

Answer 36

A methodology for making modifications to a system and keeping track of those changes.

Question 37

Version control

Answer 37

Software that allows changes to be automatically recorded and if necessary “rolled back” to a previous version of the software.

Question 38

Data exposure

Answer 38

Disclosing sensitive data to attackers.

Question 39

Proper error handling

***(secure coding techniques—->)

Answer 39

Taking the correct steps when an error occurs so that the application does not abort unexpectedly.

Question 40

Proper input validation

Answer 40

Accounting for errors such as incorrect user input.

Question 41

Normalization

Answer 41

Organizing data within a database to minimize redundancy.

Question 42

Stored procedure

Answer 42

A subroutine available to applications that access a relational database.

Question 43

Code signing

Answer 43

Digitally signing applications.

Question 44

Obfuscation/camouflaged code

Answer 44

Writing an application in such a way that it’s inner functionality is difficult for an outsider to understand.

Question 45

Dead code

Answer 45

A section of an application that executes but performs no meaningful function.

Question 46

Model verification

Answer 46

A test used to ensure that the projected application meets all specifications at that point.

Question 47

Compiled code testing

Answer 47

Searching for errors that could prevent an application from properly compiling from source code to application code.

Question 48

Runtime code testing

Answer 48

Looking for errors after the program has compiled correctly and is running, such as a pointer deference or memory leak.

Question 49

Sandbox

Answer 49

A testing environment that isolates untested code from the live production environment.

Question 50

Static program analyzers

Answer 50

Tools that examine software without actually executing the program; instead, the source code is reviewed and analyzed.

Question 51

Dynamic analysis (fuzzing)

Answer 51

Software testing technique that deliberately provides invalid, unexpected, or random data as inputs to a computer program.

Question 52

Stress testing

Answer 52

Putting an application under a heavier than norma load to determine if the program is robust and can perform all error handling correctly.

Question 53

Integrity measurement

Answer 53

An “attestation mechanism” designed to ensure that an application is running only known and approved executables.