Domain 8 Flashcards
Static Application Security Testing (SAST)
Analysis of software without execution
- Tester has access to the src code
Dynamic Application Security Testing (DAST)
Analysis of software while it is running
- Tester has no knowledge of the src code, no src code required
Relational Database Management Systems (RDBMS)
Basic Architecture:
- Tables (relations)
- Rows (records)
- Columns (fields / attributes)
- Candidate Keys (unique identifier, one or more per table)
- Primary Keys (one per table, set by designer)
- Foreign Keys (provide referential integrity)
RDBMS Threats & Vulns
Aggregation
Ability to create sensitive information by combining non-sensitive data from separate sources
- Need to know / least privilege can prevent this
- More based on math
RDBMS Threats & Vulns
Inference
The ability to deduce or assume sensitive info from observing non-sensitive pieces of info
- Blurring data and DB partitioning helps prevent.
- More based on human deduction
Types of Storage & Memory
Primary (“Real”) Memory
Mem thats directly available to a systems CPU
- Noramlly volatile RAM, most high performance
Types of Storage & Memory
Secondary Storage
inexpensive, nonvolatile resources available to a system for liong term use
- Hard drive, tapes, CDs
Types of Storage & Memory
Virtual Memory
Allows a system to simulate additional primary memory through the use of secondary storage
Ex)
- A system low on RAM makes hard disk available for direct CPU addressing
Types of Storage & Memory
Virtual Storage
Allows a system to simulate secondary storage through use of primary storage
-Provides fast file system for apps but no recovery capability
Ex) RAM that presents itself to the OS as secondary storage
Types of Storage & Memory
Random Access Storage
Allows the OS to request contents from any point within the media
Ex) RAM and hard drives
Types of Storage & Memory
Sequential Access Storage
Requires scanning through the entire media from beginning to reach a specific address
Ex) Magnetic tape
Types of Storage & Memory
Volatile Storage
Loses its contents when power is removed from the resource
Ex) RAM
Types of Storage & Memory
Nonvolatile Storage
Does not depend on power to maintain contents
Ex) Magnetic / Optical media and nonvolatile RAM (NVRAM)
ML and Neural Networks
Expert Systems
2 main components:
1. Knowledge base that contains a series of “if/then” rules
2. Inference Engine that uses the info to draw conclusions on the data
ML and Neural Networks
Machine Learning
Attempt to algorithmically discover knowledge from data sets.
ML and Neural Networks
Neural Networks
Simulate function of the human mind by arranging a series of layered calculations to solve problems
- Require extensive training on a particular problem before they can give solutions
Systems Development Modules
Waterfall
Kinda opposite of Agile
a sequential development process that results in the development of a finished product
7 Stages:
1. System Requirements
2. Software Requirements
3. Preliminary Design
4. Detailed Design
5. Code and Debug
6. Testing
7. Ops & Maintenence
(Can only move back and forth one stage at a time)
Systems Development Modules
Spiral
Uses several iterations of Waterfall model to produce a number of fully specified and tested prototypes
- metamodel or model of models
- Loops the waterfall model where each loop is a new prototype
- Allows devs to return to planning stage as requirements change
Software Capability Maturity Model (SW-CMM)
5 Steps:
1. Initial - No plan
2. Repeatable - basic lifecycle mgmt
3. Defined - Formal, documented SW dev process
4. Managed - Quantitative measures to gain detailed understanding
5. Optimized - Continuous development (CI / CD) process, with feedback loops
IDEAL Model
Initiating: Business reasons outlined, support & infrastructure for initiative put in place
Diagnosing: Engineers analyze current state of org and make recommendations for change
Establishing: Org takes recommendations and develops plan to achieve those changes
Acting: Plan is put into action
Learning: Org continues to analyze efforts and results, proposes new action to drive better results
Change and Config Mgmt in Software Dev
Request Control
framework where users can request modifications, managers do cost / benefit analysis, devs prioritize tasks
Change and Config Mgmt in Software Dev
Change Control
Used by developers to re-create the situation encountered by the user and analyze the changes needed to remedy situation
Change and Config Mgmt in Software Dev
Release Control
Once changes are finalized, they must be approved for release through the release control procedure.
- Should also include acceptance testing
Virus Propagation Techniques
File Infection
Trigger when the OS attempts to execute them
Virus Propagation Techniques
Service Injection
Escape detection by injecting themselves into trusted runtime process of the OS such as explorer.exe
Virus Propagation Techniques
Boot Sector Infection
Infect the boot sector and are loaded into memory during the OS load process
Virus Propagation Techniques
Macro Infection
Spread through code in macros (often using Visual Basic for apps in MS Office docs)
Software Development Lifecycle
- Requirements Analysis
- Design
- Implementation
- Testing
- Evolution
Real Developers Ideas Take Effort
Concentric Circle Security
Avoids monolithic security stance
- layered defense
- defense in depth
Shrink Wrap Code Attacks
Exploiting unpatched or pooryly configured software that you buy / install.