Domain 8 - Software Development Security Flashcards
out of IAAS (infrastructure as a service) PAAS (platform as a service) and SAAS (software as a service) which one requires the least amount of responsibility from the business owner and more responsibility from the cloud vendor
SAAS (software as a service) puts all the responsibility for security and maintenance on the cloud vendor. The business only provides their data
in cloud computing, what is a private cloud?
organizations build and run their own cloud infrastructure
in cloud computing what is a public cloud?
shared tenancy (Amazon AWS, Microsoft, Google, IBM) a company builds a massive infrastructure and rents or leases the products or services
in cloud computing, what is a hybrid cloud?
a mix of private and public
in cloud computing, what is Community cloud?
someone that has shared interest, maybe all the chief technical officers in banks in California. They may have a community cloud to discuss important topics, current issues and solutions they share.
out of IAAS (infrastructure as a service) PAAS (platform as a service) and SAAS (software as a service) which one requires the most amount of responsibility from the business owner and least responsibility required from the cloud vendor
IAAS (infrastructure as a service) requires the business/customer to own the most amount of responsibility. The customer is responsible for, OS, databases, security and applications.
what is the customer responsible with PAAS (platform as a service)
the customer is responsible for the application and that’s all. The cloud vendor is responsible for everything else
what do we want for programing – high or low cohesion
High
what do we want for programming – high or low coupling
low
~~~
in programming, cohesion and coupling what is the goal
1. high cohesion, high coupling
2. high cohesion, low coupling
3. low cohesion, low coupling
4. low cohesion, high coupling
- high cohesion, low coupling
maximize cohesion and minimize module dependencies (coupling)
change and configuration management steps (CCM)
- request control
- change control
- release control
change and configuration management - what happens in request control
- change is requested
- managers can conduct cost/benefit analysis
- developers can prioritize tasks
SDLC is part of a larger process known was SLC - what are the two additional phases after implementing SDLC
- Operations and maintenance support(post installation) - monitor for weakness, bacup, restore, methods are implemented. periodic risk analysis
- ** Revisions and system replacment** - changes to SLC follow change management
what is the primary way to prevent cross site scripting vulnerability
- input validation
- 2 types of this attack
— stored (persistant)
— reflected (most common) - all flavors targe the victims browser*
what is the major way to prevent SQL injection
- input validation
- programs should never allow SQL code to be passed directly from a user to the database
what is IDE in software developing
Integrated Development environment
cross site request forger attack
- target a web application
- accomplished by tricking a valid and authenticated user into sending some commands to web applications that trusts the user
- the web application executes these command from an attacker that it should not be executing
concentric circle security is what
- defense in depth or
- layered security
What are some Application-Level Attacks
- overflow, active content, cross-site script, denial of service, SQL injection, session hijacking , phishing.
polyinstantiation
- allows different versions of the same information to exist at different classification levels
- can be used to prevent unauthorized inference by creating different objects of the same name simultaneously
Operating system Attacks
- attackers always try to search for operating system vulnerabilities, like buffer overflow , OS bugs, unpatched operating system.
Misconfiguration Attacks
- target poorly configured service or device, or one left in default configuration (like WiFi router left in default settings)
buffer overflow ways to prevent
- code should be written to perform parameter or bounds checking
—never allow a chunk of data written to the buffer that is larger than the buffer -
Adress space layout randomization (ASLR)
—guards against buffer overflow by randomizing the location where system executibles are loaded into memory
Shrink Wrap Code Attacks
- an act of exploiting holes in unpatched or poorly configured software you buy and install. Often also often contain sample scripts/code.
2 major types of APIs
- REST - representational state transfer
* (most common used)
* lightweight and fast - SOAP - simle object access protocol
* complex and heavyweight
* more capabilities
code obfuscation
- creating code that is difficult for humans to understand
- makes code difficult to reverse engineer
- conceal the purpose of the code
- prevent unauthorized person to know what the code is and does
3 types of code obfuscation
- Lexical - modifies the look (changing comments, removing debugging info and changing format of the code (easiest to do but weakest form)
- data - modifies the data structure (use of variables)
- Control flow - modifies flow of control through the code, reodering statements, methods, loops, creating irrelevant conditional statements
how do you protect against buffer overlfow
- parameter or bounds checking
- do not allow a chunk of data to be written to a buffer that is larger than the buffer
what is xml
- XML stands for eXtensible Markup Language
- XML is a markup language much like HTML
- XML was designed to store and transport data
- XML was designed to be self-descriptive
- XML is a W3C Recommendation
change control steps
- request control
- change control
3.release control
explain due diligence
- its the things the we are doing in advance
- when we are building out and maintaining our security program, we are doing due diligence to be prepared when something goes wrong
*
explain due care
- more tactical and in the moment
- taking the same care the a reasonable person would take under the same circumstances
- day to day security decisions are the same decision that a resonable person would make
- how we configure our firewall rules to how we carry out our incidence response plans
due care vs due diligence
- creating a plan is due diligence
- creating the security framework and governance is due diligence
- creating the policys, procedures , put controls in place, run vulnerability scans, deploy firewalls, countless other controls in place to ensure we are ready when something goes wrong – this is due diligence
- following the plan and doing, is due care
- following the policies, procedues and guildelines
- following up on vulnerability scans and doing something about them
- following up on intrusuion alerts
- analyzing firewall logs
- implementing our incident resposne process
- taking care of any issues found or looking for the issue if you find a hint of something being wrong is due care
- you would not ignore a security concern, you would look for the root cause
Which of the following are rows and columns within relational databases?
A. Rows and tuples
B. Attributes and rows
C. Keys and views
D. Tuples and attributes
D. In a relational database, a row is referred to as a tuple, whereas a column is referred to as an attribute.
Tim is a software developer for a financial institution. He develops middleware software code that carries out his company’s business logic functions. One of the applications he works with is written in the C programming language and seems to be taking up too much memory as it runs over a period of time. Which of the following best describes what Tim should implement to rid this software of this type of problem?
A. Bounds checking
B. Garbage collector
C. Parameter checking
D. Compiling
B. Garbage collection is an automated way for software to carry out part of its memory management tasks. A garbage collector identifies blocks of memory that were once allocated but are no longer in use and deallocates the blocks and marks them as free. It also gathers scattered blocks of free memory and combines them into larger blocks. It helps provide a more stable environment and does not waste precious memory. Some programming languages, such as Java, perform automatic garbage collection; others, such as C, require the developer to perform it manually, thus leaving opportunity for error.
stride threat modeling mitigations per level
Stride mitigation below
use/misuse cases
threat modeling approach
use/misuse
Agile software development
Agile development
Software development life cycle picture
dont forget the planning – phase 1
input sanitization
- Input sanitization is a cybersecurity measure of checking, cleaning, and filtering data inputs from users, APIs, and web services of any unwanted characters and strings to prevent the injection of harmful codes into the system
- simlar desired result as input validation
what levels of cohesions and coupling are we aiming for
high cohesion
low coupling
cohesion and coupling attributes
attributes below
SDLC
NIST 800-64 no longer exist but this is what we are going to try to learn
from NIST 800-64 and BE INFOSEC youtube
SDLC from shon harris and technical institue of america youtube
2nd version…remember one of them
CMMI (maturity levels)
- Maturity Level 1: Initial
Ad hoc and unknown. Work may or may not get completed.
Unpredictable and reactive. Work gets completed but is often delayed and over budget. - Maturity Level 2: Managed
Managed on the project level. Projects are planned, performed, measured, and controlled. - Maturity Level 3: Defined
Proactive, rather than reactive. Organization-wide standards provide guidance across projects, programs, and portfolios. - Maturity Level 4: Quantitatively Managed
Measured and controlled. Organization is data-driven with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders. - Maturity Level 5: Optimizing
Stable and flexible. Organization is focused on continuous improvement and is built to pivot and respond to opportunity and change. The organization’s stability provides a platform for agility and innovation.
what is assurance
- a degree of confidence that security control mechanism built in the system will work effectively throughout the life cycle (TCB) trusted computer base
TCB (trusted computing base)
- totality of protection mechanisms withing a system
* *** breaking it down and examples
* all (everything) protection mechanisms - hardware: TPM
- Firmware - low level software (code signing)
- software: antimalware, host based firewall, security kernel
security kernel
- software mechanisms that control a subjects access to an object
- this is known as a security kernel, its the implementation of the RMC (reference monitor concept)
how digital signatures bind owners to their private keys:
good explaination Here
- alice reaches out to digitalcert for a certificate
- Alice gives digicert a little bit of information on herself including her name and a copy of her public key
- The next step is to proof her identity. The RA (registration authority) verifies that Alice is who she says she is. This is called identity proofing
- The CA (certificate authority) takes Alice’s ID, Alice’s public key and other information such as period of validity then hashes it
- the CA will then use its private key to sign that hash
- The digital certficiate contains
* name of the owner
* copy of their public key
* period of validity
* signed with the CA public key
I hope i have this correct now
who can decrypt a digital cert from one of the big digital authorities
anyone with a their public key and since these are built into browsers, the answer is anyone
do we ever send anyone our public key
absolutely not, we instead send a digital certificate
what does parameterized query do
- its a protection against injection attack
- the client does not directly send sql code to the database server
- client sends arguments to the server
- arguments are in a precompiled template - the underlying SQL statement cant be altered
- and improved database performance
what are store procedures an example of
- parameterized queries
polymorphism
the characteristic of an object to provide different behaviors based on the same message and methods owing to variances in external conditions.
software assurance maturity model (SAMM)
- governance
* metrics, policy, compliance, education, guidance - Design
* security - threat assessment - threat modeling, security architecture - Implementation
* design - secure build, secure deployment, defect management practices - Verification
* architecture testing, requirements driven testing, security testing - Operations
* maintain security throughout lifecycle - incident management, environment and operational management
You are working with the team developing a new web application and you would like to perform a
test that evaluates whether the application is able to successfully handle malicious input that it
receives through that interface. Which one of the following activities would best meet this need?
A. Input validation
B. Parameterized queries
C. Stored procedures
D. Fuzz testing
D. Fuzz testing
explanation: Fuzz testing is a specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws. Fuzz testing software supplies invalid input to the software, either randomly generated or specially crafted to trigger known software vulnerabilities.
You are conducting a risk assessment of a new cloud service that will be used by your
organization. In this offering, your developers will provide code to the cloud service. The service
will execute that code every time a user uploads a new image to a shared storage location. What
term best describes this offering?
A. Platform as a Service (PaaS)
B. Software as a Service (SaaS)
C. Infrastructure as a Service (IaaS)
D. Security as a Service (SecaaS)
A. Platform as a Service (PaaS)
explanation:
This is an example of a Platform-as-a-Service (PaaS) offering, where the cloud vendor executes code that is provided by the customer. In a Software-as-a-Service (SaaS) offering, the vendor would also provide the application code. In an Infrastructure-as-a-Service (IaaS) offering, the customer would also have to build and manage the environment where the code is executed.
You are developing an information security continuous monitoring (ISCM) program and are
evaluating the types of security process data that should be collected to support this work. Which
of the following information types is LEAST likely to be useful in this work?
You are developing an information security continuous monitoring (ISCM) program and are
evaluating the types of security process data that should be collected to support this work. Which
of the following information types is LEAST likely to be useful in this work?
A. Backup verification data
B. Disaster recovery data
C. Key risk indicators
D. Software documentation
D. Software documentation
explanation:
The major categories of security process data that should be collected as part of a security
monitoring program include account management data, management review and approval data, key performance indicators (KPIs), key risk indicators (KRIs), backup verification data, training and awareness data, disaster recovery (DR) data, and business continuity (BC) data. These are taken directly from CISSP objective 6.3.
You are deploying a voice over Internet Protocol (VoIP) telephone system that will be used by
your organization in all of your facilities. Where would be the best network location for these
phones?
A. On the VLANs where users are normally assigned according to their roles
B. On a physically isolated network dedicated to voice traffic
C. On a separate VLAN dedicated to voice traffic
D. On the guest network
this is a reminder only: do not ovebuild - remember cost is a factor
C. On a separate VLAN dedicated to voice traffic
What is the most common standard of evidence used in a criminal investigation?
A. Preponderance of the evidence
B. Beyond a reasonable doubt
C. Beyond a shadow of a doubt
D. Clear and convincing evidence
stick with your gut
B. Beyond a reasonable doubt
Your organization recently experienced a distributed denial of service (DDoS) attack that crippled
the organization’s public-facing website for several hours. You are concerned about this recurring
and want to select a control that will help ensure the website’s continued availability in the face of
a future attack. Which one of the following controls would best serve this purpose?
A. CASB
B. IPS
C. CDN
D. NGFW
C. CDN
explanation: * The remaining solutions may all block some DDoS attack traffic. The biggest difference is the location where they reside. Next-generation firewalls (NGFW) and intrusion prevention systems (IPS) would reside on your own network and, while they would filter the traffic heading to the web server, they would not be able to mitigate the effects of the traffic surge.
- Content distribution networks (CDNs) are designed to handle large surges in traffic by using an
what is a CDN
- content distribution network
- A collection of resource services deployed in numerous data centers across the Internet in order to provide low-latency, high-performance, high-availability of the hosted content. CDNs provide the
You are creating a series of handling requirements for sensitive information processed by your
organization and would like to document the specific encryption algorithms authorized for use in
the organization. Which one of the following document types would be the best place to include
these requirements?
A. Policy
B. Standard
C. Guideline
D. Procedure
B. Standard
Explanation: * we note that this document is a list of algorithms and not a sequence of steps or instructions. Therefore, it is not a procedure.
standards description from exam prep
* Describes settings, expectations of performance, configurations, specific requirements
You are responsible for the security of a database that contains sensitive personal information
about your employees, including their Social Security Numbers (SSN). You would like to select a
data protection technique that replaces SSNs with an alternative identifier and offers a lookup
table to authorized users who need to retrieve the actual SSN. What data protection technique
would best meet this need?
A. Masking
B. Encryption
C. Tokenization
D. Hashing
C. Tokenization
Tokenization refers to a process by which a piece of sensitive data, such as a credit card number, is replaced by a surrogate value known as a token. The sensitive data still generally needs to be stored securely at one centralized location for subsequent reference and requires strong protections around it.
OAuth2
1. is it web service or a IDp
2. does it authenticate or authrize
3. is it open standard or oasis
4. how does OIDC come into play
- web
- authorization
- open standard
- OAuth requires OpenID Connect for profile information (authentication)
What would be the most appropriate location to store application programming interface (API)
keys?
Secrets management system
Carla is the security compliance officer for a large chain of retail stores. As part of her PCI DSS
compliance work, Carla discovers that the organization routinely sends cardholder data to a
service provider who helps detect fraudulent transactions. Under PCI DSS, what is Carla
obligated to do?
A. Perform an annual penetration test of the service provider
B. Verify that the service provider appears on the list of validated service providers
C. Perform quarterly vulnerability scanning of the service provider
D. Review the results of an external audit of the service provider and ensure any critical
findings are remediated
B. Verify that the service provider appears on the list of validated service providers
exlanation:
This ensures that they have been audited and found in compliance
with the PCI DSS standard.
In an organization’s identity management (IdM) program, which one of the following technologies
is commonly used as an authorization mechanism for internal users?
A. Multifactor authentication (MFA)
B. Passwords
C. OAuth2
D. Access control list (ACL)
D. Access control list (ACL)
Exaplanation:
Access control lists (ACLs) are used to list out the specific permissions, or authorizations, that are granted to a user or group of users. This is clearly an authorization technology.
You are concerned about the risk of data loss associated with the theft of laptops and mobile
devices. You decide to deploy full disk encryption (FDE) technology to mitigate this risk. What
control category best describes the use of this technology in this situation?
A. Detective
B. Preventive
C. Corrective
D. Compensating
B. Preventive
data loss not theft was the concern. we can prevent the data loss with FDE
Which one of the following is an open standard for exchanging authentication and authorization
information between different parties?
A. OAuth2
B. OpenID
C. Active Directory
D. SAML
D. SAML
You are reviewing a website that you use regularly and you discover a serious vulnerability that
may compromise user information. You sent a notice to the company’s contact address
describing the vulnerability but have heard no response after two weeks. Under the principle of
ethical disclosure, what action should you take next?
A. Report the vulnerability to law enforcement
B. Disclose the vulnerability publicly
C. You have fulfilled your ethical responsibility and should take no further action
D. Send another notice to the company with a deadline
D. Send another notice to the company with a deadline
***The security community embraces the concept of ethical disclosure.
Your organization recently signed a contract with a service provider who will be maintaining
manufacturing equipment at a variety of field sites. The provider requires access to some of your
internal systems in order to view and update work orders so you are establishing connectivity to
your network for them. The connection will be an always-on virtual private network (VPN)
between your locations. What is the most appropriate location on your network to terminate the
connection?
A. Intranet
B. Internet
C. Extranet
D. Demilitarized Zone (DMZ) network
C. Extranet
explanation:
The scenario describes a unique use case where you are working with another organization that will need access to some of your internal systems. While the DMZ is a reasonable place to terminate the VPN connection, the extranet would be a better location because these networks are specifically designed for this scenario – an external partner that requires access to internal systems.
Brianna’s organization recently suffered an attack where the attacker was able to break into the
organization’s website and change the contact email address published on the page. What
cybersecurity principle does this attack most directly violate?
A. Non-repudiation
B. Integrity
C. Confidentiality
D. Availability
Note: follow your gut - you know this, dont let wording fuck with your head
B. Integrity
In this example, the attacker performed the unauthorized modification of information. This is an integrity violation. If the attacker had stolen information, that would be a confidentiality violation. If the attacker had deleted or destroyed information, that would be an availability violation.
You are deploying a virtual private network (VPN) to support remote users who will be
telecommuting but require access to internal resources. Where would be the most appropriate
location to place the VPN server?
A. Internal network
B. Outside the firewall on the public Internet
C. Demilitarized zone (DMZ) network
D. Data center network
C. Demilitarized zone (DMZ) network
Which one of the following is the best example of a security awareness activity that might be used
as part of an organization’s information security program?
A. Mandatory computer-based training
B. Posters in the hallway
C. Specialized training for security administrators
D. Optional classroom training
B. Posters in the hallway
Explanation: Security awareness programs include the activities that serve to refresh the memories of individuals who have already been trained on cybersecurity matters. A poster in the hallway is an excellent example of an awareness activity.
The standard order of operations for physical security controls is
Deter, Deny, Detect, Delay, Determine, and Decide
softwware configuration management
- configuration identification - document the configuration of covered software
- configuration control - changes are made in accordance with change control and configuration management policies
- configuration status account - formalized procedures are used to track all authorized changes
- configuraion audit - periodic config autid should be conducted
grey box testing
- testing from a users perspective
- have access to code but are not analyzing the code, just using it to form testing procedures from user perspective
what is another way to implement mililevel security in a DB
- database views
- views are simple SQL statements
- views can be restricted
*
two parts to linear cryptanalysis. The first is to construct linear equations relating plaintext, ciphertext and key bits that have a high bias
- first is to construct linear equations relating plaintext, ciphertext and key bits that have a high bias
- The second is to use these linear equations in conjunction with known plaintext-ciphertext pairs to derive key bits.
which of the following Vs of big data describes how data is organized
variety
buffer overflow protection taht microsoft recommendt but does not require for independent software vendors
pointer encoding
what likely occurs after a DOS attack
spoofing
datagrams belong on what OSI layer
transport layer
barriers at perimeters do what
1. deter
2. detect
3. delay
4. prevent
- delay
barriers and fences are delay control only
which includes checklist for persons responsible for acting after a disaster strikes a remote site
- drp
- mtd
- bia
- bcp
- DRP
DRP is it a type of IT contigency plan for focuses on restoration of specific IT services
remember what accreditation is dumbass
- software is accepted by the system owner
- even if not certified
IETF and RFC 6749
Oauth 2.0
a _____ language prevents a viariable from containing information that is different from the variables declaration
type-safe
cfb mode weakness
uses stream cipher that propagates encryption errors
rsa is not succeptable to which attack
1. replay
2. brute-force
3. mathematical
4. timing
- replay
- man in the middle
RSA can be used for encryption and digitally singing a message
rsa protects against replay and man in the middle attacks
