Domain 4 Flashcards
common security flaw in API
Broken or lack of authentication
common format for his team’s software versioning (Common industry standard)
major.minor.patch
OWASP’S Application Security Verification Standard (ASVS) has three primary usage models
To be used as:
Metric
Guidance
to be used during procurement
dynamic secrets
Using dynamic secrets—secrets that are generated and used as they are needed—allows for granular auditing of uses because each secret is created as needed and thus their specific usage can be reviewed as needed
ATASM
ATASM considers architecture, threats, attack surfaces (not attacks) and mitigations.
Database Activity Monitor (DAM)
A Database Activity Monitor (DAM) solution provides database activity monitoring that includes privileged account usage logging and monitoring in addition to other security and monitoring features
SMS Factors - least secure
SMS factors are considered the least secure of these options because of SIM swapping and VoIP-based attacks on SMS messages.
XML Firewalls
XML firewalls can help improve the security of SAML-based applications by preventing XML-specific attacks
xml injection,
Security-focused code
Interactive application security testing (IAST)
Interactive application security testing (IAST) uses software instrumentation to validate performance and function and is typically conducted during the QA/Test phase of the SDLC.
SAFECode
Software Assurance Forum for Excellence in Code (SAFECode).
Changing encryption algorithms if a problem is found with one that is currently in use is actually a best practice that SAFECode recommends. They call it “cryptographic agility” and note that you need to be able to transition to new mechanisms, libraries, and keys when needed. Defining what to protect, what mechanisms will be used, and how keys and certificates will be managed are all common best practices and are also recommended by SAFECode.
Abuse Case Testing
Abuse case testing will test how users could abuse the software, including the type of issues James is concerned about. White box, or full knowledge, testing and black box, or zero knowledge, testing both describe the amount of information that testers have about the environment, and use case testing validates how software is supposed to be used, not how it could be abused.
If containers currently run as root.
Remediation
Setting a nonprivileged user as the process owner will work in many cases.
