CySA+ Study Notes 7 Flashcards
(1) Planning : includes preparing materials, identifying participants, and scheduling the review. (2) Overview : assigning roles to participants and providing an overview of the software. (3) Preparation : participants independently examine code for potential defects. (4) Meeting : reviewers discuss and formally identify any code defects. (5) Rework : code developers correct any defects found during inspection. (6) Follow-up : leader verifies defects were resolved and completes project documentation.
Fagan Process
Software Validation : is software meeting business requirements?
Software Verification : are we building the right software?
Fuzzing : attempt to cause unpredictable state or unauthorized access.
info …
In a parametrized query, the SQL template is precomplied on the database server, this protects against SQL injection and improves database performance.
??? implementation of parameterized queries used by some database platforms.
info / Stored Procedures
Output Encoding : techniques to protect applications from malicious input, like SQL and XSS attacks.
HTML Encoding : uses & notation to dangerous values that appear in HTML-based web document.
URL Encoding : uses % notation to replace dangerous values that appear in a URL.
Error Handling : avoids unpredictable states.
info …
Code Respositories : store software source code files, coordinate change among multiple developers, perform version control, promote code reuse.
Code Signing : digital signatures provide nonrepudiation.
Signing Code : developer obtains digital cert., then developer creates dig. sign. for code using private key associated w/cert.
Verifying Code Sign.’s : user downloads
software, then OS uses cert.’s public key to validate sign., then OS verifies sign.’s hash matches the code.
info …
a set of interfaces that allow users and other services to interact w/a service programatically. API Standards -> SOAP : uses XML format; REST : uses HTTPS protocol
API
design philosophy that embraces use of discrete services that may be accessed by customers in a black-box fashion. SOA Characteristics : logical representations of repeatable business activity w/specified outcome, self-contained, may be composed of other serviced, black box nature.
SOA
TPM : allows full disk encryption on computers w/o degrading performance, TPM contains the encryption keys.
Attestation : confirmed hashes are stored in the TPM.
Hardware Root of Trust : Verifies firmware integrity.
Bus Encryption : Protects inter-component communication.
Secure Enclaves : provide hardware-based encryption key management.
info …
Processor Security Extensions : allows applications to request their own protected areas of memory.
Atomic Execution : full execution or no execution at all, partial execution is not done.
Nonrepudiation is only possible with asymmetric cryptography.
Web of Trust : relies on indirect relationships.
info
(1) Authorization : have written authorization to prove testing is legitimate. (2) Scope : determine systems involved in test and identify approved testing techniques. (3) Timing : conduct testing at time that is least disruptive to critical business activity.
Planning Phase (Penetration Testing)
