Domain 8 Flashcards
__ application security testing involves probing a fielded or running application in order to discover potential flaws. This is considered __ box testing.
dynamic application security testing or dynamic application testing, black box testing.
__ computing includes client/server (user over server-based applications by interfacing via the client), 3-tier (web apps e.g. web front-end, middleware, backend data store), peer-to-peer (each endpoint equally capable.
distributed computing
__ is if you find a vulnerability in Microsoft’s code and you publicly release it, that forces Microsoft to fix it. __ is going straight to Microsoft and waiting for them to release it.
full disclosure, closed disclosure
__ is the acronym for “Secure: by Design, by Default, by Deployment and Communications”
SD3+C, Application security is always best when integrated from the beginning e.g. Windows 8 will always be more secure than Windows XP since security wasn’t a critical design goal at that time.
__ is the development of a working model with test or real data using an iterative approach supported by user and developer interaction. This SDLC model typically implies frequent customer/client interaction throughout the project.
software prototyping
__ occur in applications which request and later improperly release memory. Sensitive information can also be divulged.
memory leaks
__ overflow can add a bit and overwrite information on the stack. Potential issues with this attack are: Memory holding an overflowed variable may be reset to zero (UID 0 is root on Unix), other memory may be corrupted, program logic can misfire due to unexpected values
integer overflow
__ seeks to address issues that can arise from the separation of development and the operational environment.
DevOps (Development + Operations): application issues can stem from code, but can also stem from the operational environment
__ tools can be used to develop application systems faster and to increase programmers’ and analysts’ productivity.
CASE Tools: Computer-Aided Software Engineering tools
A __ can mitigate a simple stack-smashing attack since this value is checked before the function returns. If it is changed, the function will normally exit with an error since the return pointer is eliminated (so you know malicious software is running).
canary
A __ tool is a computer-based product aimed at supporting one or more activities within any aspect of the software development process. It might support only one particular part of this process (such as compilers, editors or UI generators).
CASE Tools: Computer-Aided Software Engineering tools
Application issues can arise from flaws in code, but also from issues within the operational environment. This approach seeks better understanding, communication and integration among the development and operations portions of an organization.
DevOps (Development and Operations)
Canaries may be used in a heap (where dynamic memory allocation normally occurs). What does Microsoft call a heap canary?
cookie
Difference between open source and closed source.
open source: source is provided to you. Closed source: source is not provided to you. It is not free vs commercial. Sometimes commercial vendors will provide the source code so you could validate it from security perspective
Different types of canaries include a terminator canary (smashing the stack will normally alter and kill the canary), null canary (all null bytes) and a random canary (each byte is a random number). Which is the most secure form of canary?
random canary
Eclipse and MS Visual Studio are two popular __.
IDEs (Integrated Development Environment)
For this CMMI level continuous process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.
Level 5 Optimizing
In addition to avoiding flaws, this approach also seeks to streamline the process of deploying an application into operations, which can make for more efficient application updates.
DevOps (Development + Operations)
In distributed applications a client can send input to a remote system process to carry out an action. This communication is referred to as a __. __ is a traditional solution to this problem.
RPC (Remote Procedure Call), CORBA (Common Object Request Broker Architecture) employs an Object Request Broker as an intermediary to solve the problem of coordinating the communication.
In order to finish a project, 5 people slept in the office for 5 days. Which level of the CMMI does this indicate?
Level 1 Initial (ad hoc, chaotic, few processes, occassionally chaotic. Success depends on individual efforts and heroics.
In software security testing, __ involves running tools against application source code to look for known patterns that suggest particular types of security flaws (buffer overflows, SQL injection, OS Command injection)
static analysis
In this level of CMMI, the necessary process discipline is in place to repeat earlier successes on projects with similar applications.
Level 2 Managed
In this SDLC model, phases occur in succession and after each phase is completed, it is closed and not revisited.
waterfall model: phases occur in succession like water falling down a waterfall
Methodologies for software development to improve the process and end-product.
SDLC (Software Development Life Cycle), also referenced as Systems Development Life Cycle
Microsoft’s __ establishes 16 practices divided amongst traditional development phases.
MS SDL: Microsoft Security Development Lifecycle. Key practices are under “MS SDL key practices - D8 pg19”
Name the software development methodologies aka SDLC models.
waterfall, spiral, prototyping, agile, scrum, XP (Extreme Programming). For exam think evolution - waterfall: too much time between delivery, spiral: more increments but still not what customer wants, prototyping: customer now actively engaged in design but team still went off for too much time; Agile is where we’re meeting every 3-4 weeks instead of 3-4 years
Pair programming, continuous integration and continuous deployment are some terms often associated with this SDLC approach.
Agile: Pair programming (two developers coding from one machine in which the 2nd developer reviews code as it is written), Continuous integration (regularly integrating developer contributions back into the main branch, thereby find out about issues earlier), continuous deployment (similar to continuous integration but the code is actually deployed into production rather than just pushed back into main branch)
Programmers can harden their applications via the use of secure __ such as Libsafe and SSP/ProPolice e.g. Libsafe will confirm that all variables are checked.
standard libraries. These include additional protections against vulnerabilities such as buffer overflows e.g. stack canaries
QA and UAT are types of __ application testing, primarily to ensure functionality and usability of the application are appropriate. While not overtly security-focused they can be built to include security relevant test cases.
dynamic application testing
SD3+C stands for __, a centerpiece of Microsoft’s SDL
Secure: by Design, by Default, by Deployment and Communications, Application security is always best when integrated from the beginning e.g. Windows 8 will always be more secure than Windows XP since security wasn’t a critical design goal at that time.
Some numeric values are often stored in fixed length memory locations. What type of attack seeks to exploit this characteristic to achieve memory corruption or more?
integer overflow since it’s fixed length memory locations; buffer overflow is NOT fixed length
The __ focuses on quality management practices and established a basis for evaluation of the development process.
CMMI (Capability Maturity Model Integration) D8 pg 7
The __ level of CMMI has measurable metrics, can measure processes and make sure quality is being done correctly.
Level 4 Quantitatively Managed
The __ model is a software development methodology that is also known as the “Traditional Method”.
waterfall model
The __ model of the SDLC features a cyclic approach and set of anchor-point milestones. It is driven by risk.
spiral model
The __ serves as the developer’s workspace and typically includes at least a code editor, debugger, and builder/compiler. It typically goes beyond simple code editing and debugging to increase the efficiency of the development.
IDE (Integrated Development Environment)
The Agile approach is comprised of __ (5-10 min call every day with the customer and testing on the following day; worst case we’ve lost 24 hours) and __ (having customer be part of development team so customer representative is always there; what is the simplest thing to add value to customer).
Scrum, XP (Extreme Programming)
The primary focus of employing SDL is different from SDLC. What is the main purpose of SDL?
Security since SDL (Security Development Lifecycle) vs SDLC (Software Development Lifecycle)
The primary purpose of __ and __ is to ensure that the functionality and usability of the application are appropriate.
QA testing and UAT testing
The SDLC model of __ allows you to prove concepts for the development of software, systems or applications.
software prototyping
There is a risk of not meeting what the customer wants in which SDLC model (since there is no customer involvement).
waterfall model
There is no customer invovement and no going back in which SDLC model?
waterfall model
This SDLC model can simply be a non-operational mock-up.
software prototyping
We are concerned that although apps are validated, there will be unforeseen issues in the operational environment. This is most closely tied to what approach?
DevOps (Development + Operations)
We are concerned that although apps are validated, there will be unforeseen issues in the production environment This is most closely tied to what approach?
DevOps (Development + Operations)
What are the CMMI levels?
Level 1 Initial (ad hoc, chaotic), Level 2 Managed (basic processes), Level 3 Defined (documenting, having predictable outcome), Level 4 Quantitatively Managed (metrics), Level 5 Optimizing (continuous improvement)
‘Capability Maturity Model Integration: D8 pg 7’
What is the number one way to reduce risk in code development?
all code should undergo code reviews aka security reviews before implementation. This is an ISC2 golden rule. Other important points: developers should never by directly modifying production code; you always want detailed logging. Mimimize buffer overflow, escalation of privilege and backdoors.
Which level of CMMI is where you have formal documentation and can start planning out projects?
Level 3 Defined (software process documented/standardized)
Which type of testing would be most appropriate to ensure that all expected functionality of the application is present and working properly?
UAT testing or if that’s not there, it is a subset of QA testing so you can choose that as well
