Infosec Flashcards

Question

What is threat modeling? And what does Gary McGraw call it?

Answer 1

A process that reviews the security of any connected system, identifies problem areas, and determines the risk associated with each area. Gary McGraw refers to it as Architectural Risk Analysis.

Answer 2

Any place in your system that the level of the trust in the data changes (ex: behind a firewall)

Answer 3

All the places an attacker can enter the system

Answer 4

A visual representation of four main elements: * The assets within a system; * The system’s attack surface; * A description of how the components and assets interact; * Threat actors who could attack the system and how the attack could occur

Answer 5

Adam Shostack

Answer 6

Spoofing - an attacker poses as another user, component or system Tampering – an attacker modifies data Repudiation – attackers can to deny performing some malicious activity because the system does not have sufficient evidence to prove otherwise Information disclosure – an attacker can get read access to protected data Denial of Service (DoS) – an attacker can prevent legitimate users from using the normal functionality of the system Elevation of privilege – an attacker uses illegitimate means to assume a trust level with different privileges than he currently has

Answer 7

1. Broken Access Control 2. Cryptographic Failures 3. Injection 4. Insecure design 5. Security Misconfiguration 6. Vulnerable and outdated components 7. Identification and authentication failures 8. Software and Data Integrity Failures 9. Security Logging and Monitoring Failures 10. Server-Side Request Forgery

Answer 8

1. Identify critical assets 2. Decompose the system to be assessed 3. Identify possible points of attack 4. Identify threats 5. Categorise and prioritize the threats 6. Mitigate

Answer 9

For a long time it was normal to release new functionality, then try to find sikkerhetshull and then try to patch them.

Answer 10

It is used to identify security requirements. Can be used early on. A misuse case diagram is created together with a corresponding use case diagram. The model introduces 2 new important entities (in addition to those from the traditional use case model, use case and actor: Misuse case : A sequence of actions that can be performed by any person or entity in order to harm the system.

Answer 11

It illustrates how an attacker can acheive an attack goal. It is a tree structure with AND/OR nodes. More techincal than misuse cases. Good basis for planning security tests.

Answer 12

It is used to understand the system's attack surface. To get an overview, find trust boundaries and to understand how data flows in the system.

Answer 13

The General Data Protection Regulation (GDPR), which came into effect on 25th May 2018, provides a legal framework for keeping everyone's personal data safe by requiring companies to have robust processes in place for handling and storing personal information.

Answer 14

All informasjon relatert til en identifisert eller identifiserbar naturlig person. Dette kan omfatte oppførselsmønster: Hvor du befinner deg, hva du handler inn, hva du leser, hvem dine venner er, hva du kommuniserer.

Answer 15

Sensitive personopplysninger omfatter rase eller etnisitet, politiske meninger, religiøse eller filosofiske trosforhold, fagforeningsmedlemskap, genetiske data, biometriske data for unik identifisering av en naturlig person, helseopplysninger, seksualliv eller seksuell orientering.

Answer 16

Data subject refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person's physical, physiological, genetic, mental, economic, cultural or social identity.

Answer 17

- Right to be informed - RIght to object - Erasure: right to be forgotten - Data portability (allows individuals to obtain and reuse their personal data for their own purposes across different services) - Automated individual decision-making (The data subject shall have the right not to be subject to a decision based solely on automated processing) - Restriction of processing (an individual can limit the way that an organisation uses their data) - Transparency (The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.) - Right to rectification (rette opp feil data)

Answer 18

- Data protection officer (DPO) - Data protection impact assessment - Privacy by design and by default - Records of processing - Data processing agreement - Notification of breach Behandlingsansvarlig er nødt til å utnevne et personvernombud, og må utføre en vurdering av personvernskonsekvenser (DPIA) før innsamling begynner. Alle systemer som behandler personopplysninger skal utvikles etter prinsippene for innebygd personvern, og personvern skal være standardvalg i alle tilfeller. Databehandleren er nødt til å føre regnskap med behandlingen av personopplysninger, og dersom en ekstern databehandler benyttes, må det foreligge en databehandleravtale. Dersom det skulle skje et brudd på personvernet, er behandlingsansvarlig pliktig til å underrette den opplysningene angår uten unødig opphold, og senest 72 timer etter bruddet er oppdaget

Answer 19

1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the Default setting 3. Privacy embedded into design 4. Full functionality - positive-sum, not zero-sum 5. End-to-end security - full lifecycle protection 6. Visibility and transparency - keep it open 7. Respect for User privacy - keep it user centric

Answer 20

- Training - Requirements - Design - Coding - Testing - Release - Maintenance

Answer 21

A understanding of data protection and information security is a prerequisite for developing software. Software developers should have an established development methodology, approved by management. When developing software that processes personal data, the methodology should include data protection by design and by default, and security by design. Developers, architects, testers, project leaders, management, all employees and suppliers should undergo training. The training should happen at the start of a development project, with updates at regular intervals and at the start of deployment.

Answer 22

Setting requirements for data protection and information security for the final product. Must reflect the need for data protection and information security. To set the correct requirements, it is important to know what categories of personal data will be processed in the software. Requirements for software, products, applications, systems, solutions, or services must: - fulfil the data-protection principle - protect the data protection rights of the data subject - fulfil the company's obligations - ensure that the settings are by default set to the most privacy-friendly option - ensure that the end product is robust, secure, and provides enforceability of the data subject's rights

Answer 23

Ensure that requirements for data protection and information security are reflected in the design. It is important to take into account the existence of threat actors that may attempt to obtain and gain access to personal data. To reduce the attack surface, it must be analysed, and the software modelled and designed to ensure a robust end product. Data-oriented design requirements: minimmise and limit, hide and protect, separate, aggregate, data protection by default. Process-oriented design requirements: inform, control, enforce, demonstrate

Answer 24

Enable developers to write secure code by implementing the requirements for data protection and security. It is important to choose a secure and common methodology, both for coding and for enabling the developers to detect and remove vulnerabilities from the code. Automated code analysis tools should be introduced, and the company must have established procedures for static code analysis and code review. Possible measures for secure coding: create a list of approved tools and libararies, scanning of dependencies for known vulnerabilities or outdated versions, manual code review, static code analysis with security rules.

Answer 25

Testers check that the requirements for data protection and information security have been implemented as planned. How to test that requirements for data protection and security have been implemented: fuzz testing, vulnerability analysis, penetration testing, threat model and attack surface review.

Answer 26

Planning for how the organisation effecttively can handle incidents. Incident response plan: detect, analyse and verify, report, handle, recover. Procedures for updating software. Final security review and approval.

Answer 27

The most important element of this activity is that the organisation has implemented a plan for incident response handling and follows it. Maintenance, service and operation: - define roles and responsibilities and authority - handle the data subjects' rights and request related to this, such as data access, modification, deletion, data portability, consent, information, transparency, etc. - Continuously assess the effectiveness of technical and organisational security measures for uncovering vulnerabilities. - Data, platform, network, and software maintenance – including suppliers

Answer 28

"Software Security is the practice of building software to be secure and to continue to function properly under malicious attack. "

Answer 29

1. Code review 2. Architectural risk analysis 3. Penetration testing 4. Risk-based security tests 5. Abuse cases 6. Security requirements 7. Security operations

Answer 30

After multiple attacks like iloveyou, CodeRed and Nimda, Bill Gates decided to stop all development and implement the Trustworthy Computing initiative in 2002. In 2004 the Security Development Lifecycle (SDL) was introduced.

Answer 31

1. Trust (earn or give, but never assume, trust) 2. Authentication (use an authentication mechanism that cannot be bypassed or tampered with) 3. Authorization (authorize after you authenticate) 4. Separate data from control (strictly separate data and control instructions, and never process control intructions received from untrusted sources) 5. Explicit validation (define an approach that ensures all data are explicitly validated) 6. Crypto (use cryptography correctly) 7. Sensitive data (identify sensitive data and how they should be handled) 8. Users (always consider the users) 9. External components (understand how integrating external components changes your attack surface) 10. The times they are a-changing (be flexible when considering future changes to objects and actors)

Answer 32

1. Secure the weakest link 2. Practice defense in depth 3. Fail securely 4. Follow the principle of least privilege 5. Compartmentalize 6. Keep it simple 7. Promote privacy 8. Remember that hiding secrets is hard 9. Be reluctant to trust 10. Use your community resources

Answer 33

Open Web Application Security Project. It is a nonprofit organization that works to improve the security. The project is divided into four main areas: methodologies, tools, techniques and resources.

Answer 34

Everything that could potentially be exploited by an attacker. Totality of the different points. An attacker can try to enter data into or extract data from a system that could potentially be exploited.

Answer 35

A specific path or means an attacker can gain access.

Answer 36

Web serves use them to allow web-based clients to connect to them and view and download files.

Answer 37

Ethical hacking is testing the resources for a good cause and for the betterment of technology. It is used for penetration testing. It is focused on securing and protecting IT systems.

Answer 38

To capture and examine requests. To manipulate requests (can be used to learn about the application). Can be used for attacks.

Answer 39

If we know exactly what the system should do we also know what it should not do.

Answer 40

It must: - be simple (focus on the essentials) - be strict (so it can be a foundation for writing code) - capture deep understanding (to make the system truly useful and helpful) - be the best choice (from a pragmatic viewpoint) - provide us with language we can use whenever we talk about the system

Answer 41

A distilled version of the domain where each concept has a specific meaning. (Domain is a part of the real world where stuff happens).

Answer 42

A term or concept may have the same name in various parts of the business, but each usage may have different meaning. F.ex. package. As long as the meanings of terms, operations and concepts remain the same, the model holds. As soon as the semantics change, the mode breaks, and the boundary of the context is found. The semantic boundary of a context is interesting from a security perspective.

Answer 43

It is risk estimation in agile development teams based on Planning Poker by Laurie Williams. It is performed in the beginning of every iteration, by the full team. The goal is to rank the security risk of the features to be implemented in the iteration. Ensure common understanding in the team on the need for security in this iteration, and in general.

Answer 44

Risk = (the total value of all assets that could be exploited with a successful attack) x (the exposure), or value x exposure

Answer 45

You assess the risk of different features etc. by looking at the value and the exposure. Then you choose one of the cards <10,20,30,40,50,60,70,80, or 100 based on your assessment, and then everyone shows their card and you discuss why you chose your card.

Answer 46

Deltakerne opplevde at de fikk økt kompetanse og bevissthet om sikkerhet, og kunnskap om sikkerhet ble spredt blant alle i teamet. De viktigste risikoene ble diskutert, og diskusjonene av risiko innebar at ulike måter å minske risikoen ble identifisert og lagt til som krav. Det tok en del tid å spille Protection Poker i starten, men etterhvert gikk det raskt å gjennomføre en spill-runde

Answer 47

Passive scanning of application code without executing it. A white box testing approach. Analyzing software "at rest"; source code, bytecode and binary.

Answer 48

Weaknesses = errors in software implementation, code, design or architecture that if left unaddressed could result in systems and networks being vulnerable to attack. Ex. buffer overflows, format strings, structure and vailidaty problems, etc. Vulnerability = common vulnerabilities and exposures (CVE) list. Mistake/weakness in software that could be directly used by a hacker to gain access to a system or network. Exploit = is a piece of software containing attack vectors that can be directly used to take advantage of a vulnerability in a system. Static analysis focuses on weaknesses. A vulnerability is a weakness that can be exploited by an attacker. Thus, a weakness is an error, typically in the software code, that might lead to a vulnerability.

Answer 49

Can catch security defects early in the SDLC. Significant aid for code review. Code review is a PCI-DSS requirement.

Answer 50

It is line focused and scan line for line with f.ex. "grep" to find potential dangerous function calls. It is useful for quick code review, but very basic with lots of noise.

Answer 51

Used to determine where vulnerability occurs by using the concepts of data source and data sink in Data Flow Graph. If the source of the input data is untrustworthy, then data is said to be tainted. If tainted data reaches a sensitive sink, a security issue may exist.

Answer 52

1. If no vulnerabilities were found it might be tempting to declare it safe, and think there is no need for assurance in other development phases. 2. Fixed all the issues and therefore think that you don't need assurance in other development phases. 3. Thinking that since you have made a huge investment in SAST tool, you dont need to further invest in security.

Answer 53

False positives and negatives. Can be challenging to construct a model if you f.ex. have dynamic strings build at runtime. It may fail to even detect implemented filter/control/validator. May not test whether your filter is strong enough. Cannot find issues in the operational environment. Only cover half of security defects. Can not check many design issues. Provides little insight into the exploitability of the weakness/vulnerability itself. May not present an accurate risk picture.

Answer 54

The process of verifying that a user is who they claim to be.

Answer 55

Http Authentication, Certificate-based authentication, token-based authentication, biometric authentication

Answer 56

It is simple and vulernable. Eavesdroping on the communication can capture everything over this channel, including passwords. Dont use it in your apps.

Answer 57

It is still vulnerable for the Man In The Middel attack. It prevents use of the strong password encryption, meaning the passwords stored on the server could be hacked.

Answer 58

It uses digital certificates to verify the identity of a user or device. A digital certificate is a file: information about the user or device. Certificate Authority (CA): - A certificate is signed by a trusted authority. - Verify that the information in the certificate is accurate.

Answer 59

-Something you know: a password, a PIN or a pattern -Something you have: a physical token like a key, or a virtual token like a one-time code from a hardware device. -Something you are: a biometric like a fingerprint or iris Strong authentication has two or more factors.

Answer 60

A type of security measure that uses the physical properties of a device to create a unique fingerprint. Use the fingerprint to verify the identity of the device.

Answer 61

Completely Automated Public Turing test to tell Computers and Humans Apart. User type the letters of a distorted image or the result of a simple math problem. Can prevent bots from creating spam accounts on websites or submitting spam comments on blogs. Difficult for computers to solve, but easy for humans.

Answer 62

It has two main tasks: - Find tiles containing object in photo - Pick all photos containing an object Difficulty increased through lowering resolution or blurring the photos.

Answer 63

-Can protect websites from automated attacks. -Can be used to prevent spam comments on blogs. -Can be used to prevent bots from creating spam accounts on websites.

Answer 64

-Can be difficult for humas to solve, especially if images are distorted or the letters are in a foreign language. -Bypass methods are constantly evolving, so CAPTCHA designers must continually update the test to stay ahead of the attackers. - Tests are not perfect, and they can sometimes be frustrating for users.

Answer 65

It is the art of manipulation; Psychological attack. Steal sensitive information like login credentials, credit card number and install malware. Some common methods are phishing emails, fake websites and phone calls. They may pose as a trusted indiviual like a customer service representative and technical support agent. It may be challenging to detect, because it rely on human interaction, and often exploit people's natural trust.

Answer 66

To collect information about a target system. Like usernames, email addresses and IP addresses. Often used to collect data that can be used to brute force passwords or gain access to other systems.

Answer 67

The social engineering toolkit is a powerful open-souce toolkit used by ethical hackers to perform social engineering attacks. SET was designed to be used in penetration testing engagements to demonstrate the risk posed by social engineering attacks. SET can be useed to launch a variety of different attacks, including phishing attacks, credential harvesting attacks, web-based attacks.

Answer 68

The process of granting or denying access to a resource. Determining whether a user or computer process has the right to access a resource. Resources; computer systems, applications, data, APIs.

Answer 69

Mandatory Access Control, Discretionary Access Control, Role-based access control and attribute-based access control. Access control list contains rules that grant or deny access to certain digital environments.

Answer 70

Restricting access to objects based on the identity of the subject. Implemented using ACL: -If the user has permission to access the resource. -Users who can access the resource and the authority

Answer 71

Limiting access to resource based on: -the sensitivity of the information -the authorization of the user to access information with that level of sensitivity. Sensitivity: define by means of security label: unclassified, restricted, confidential, secret, top secret. Users can access only the information in a resource to which their security labels entitle them.

Answer 72

Restricts access to resources based on the roles assigned to users. Flexible and scalable security model. Well-suited for large organization. Advantages: - easy to grant or revoke access to multiple users at once - granularly control access to resources Disadvantages: - Can be complex to manage with thousands users - Security breach

Answer 73

Subjects and objects are related to each other through attributes. RBAC: a user with the role "manager" would be given access to the object "payroll". ABAC: a user with attribute "employee" would be given access to the object "payroll"

Answer 74

An exploit: the attacker attempts to access files and directories that are outside of the web root directory. Often used to gain access to the server's file system.

Answer 75

Look for hidden fields within forms, analyze what they are used for, and try to change their values in ways that would benefit an attacker.

Answer 76

Client-side cookie tampering is a method of tampering with the information stored on a user's web browser and manipulating it to be used in malicious ways, such as hijacking a user's session on a website or application.

Answer 77

An attacker takes control of a user's web session by stealing their session cookie. Access the victim's account and perform any actions that the user is able to do. Allows bypass authentication and authorization checks. Gain access to sensitive information: finiancial data or personal information.

Answer 78

Ensure that all users get a "clean" sessionID by regenerating the sessionID whenever a user logs in. Set the "HttpOnly" flag on all cookies. Set "secure" flag on all cookies. Enforce strong policies for sessionID creation, and never use userID as sessionID nor use sequential sessionIDs. Use content security policy (CSP) to prevent XSS attacks

Answer 79

It is a security model that is used to guide security efforts. The three elements are confidentiality, integrity and availability.

Answer 80

A plan-driven approach to software engineering is based around separate development stages with the outputs to be produced at each of these stages planned in advance. Not necessarily waterfall model - plan-driven, incremental development is possible. Iteration occurs within activities.

Answer 81

Specification, design, implementation and testing are inter-leaved and the outputs from the development process are decided through a process of negotiation during software development process. Reduce overheads in the software process and to be able to respond quickly to changing requirements without excessive rework.

Answer 82

Customer involvement, incremental delivery, people not process, embrace change and maintain simplicity

Answer 83

We are uncovering better ways of developing software by doing it and helping other do it. Through this work we have come to value: Individuals and interactions over processes and tools. Working software over comprehensive documentation. Customer collaboration over contract negotiation. Responding to change over following a plan. That is, while there is value in the items on the right, we value the items on the left more.

Answer 84

The highest priority is to satisfy the customer through early and continuous delivery of valuable software. Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done. Working software is the primary measure of progress. At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.

Answer 85

Scrum is a method of restarting play in rugby football.. either after an accidental infringement or when the ball has gone out of play. Scrum vektlegger empirisk tilbakemelding, selvadministrasjon av gruppen, og å anstrenge seg for å bygge skikkelig testede produkt-inkrementer i løpet av korte iterasjoner. Scrum har kun tre roller: Produkteier, Utviklingsgruppe, og Scrum-mester. Ansvar og oppgaver til den tradisjonelle prosjektlederen er delt mellom disse tre rollene. Hvis man skal gjennomføre Scrum slik det faktisk er definert kommer det vanligvis i konflikt med eksisterende vaner i etablerte ikke-smidige virksomheter.

Answer 86

Software development becomes continuous. Planning, budgeting, integration, deploymen, delivery, verification, innovation and experimentation becomes continuous.

Answer 87

It is the single most important artifact. It is a detailed analysis document, which outlines every requirement for a system, project or product. It could be described as a comprehensive to-do list, expressed in priority order based on the business value each piece of work will generate. The scrum backlog is the engine of the business; it breaks the big-picture story down into manageble increments of work called Product Backlog Items (PBIs)

Answer 88

Consists of committed PBIs negotiated between the Team and the PO during the Sprint Planning Meeting. Scope commitment is fixed during Sprint Execution. Initial tasks are identified by the team during Sprint Planning Meeting. Team will discover additional tasks needed to meet the fixed scope commitment during Sprint execution. Visible to the team. Referenced during the daily scrum meeting.

Answer 89

One or more sentences that describe what a user wants from the system. Start with a title, add a description, add other relevant notes, specifications or sketches, write acceptance criteria.

Answer 90

Single person responsible for maximizing the return on investment (ROI) of the development effort. Responsible for product vision. Constantly re-prioritizes the Product Backlog, adjusting any long-term expectations such as release plans. Final arbiter of requirements questions. Accepts or rejects each product increment. Decides whether to ship and whether to continue development. Considers stakeholder interests.

Answer 91

Cross-functional (e.g., includes all the expertise necessary to deliver the potentially shippable product). Self-organizing/self-managing, without externally assigned roles. Negotiates commitments with the PO, one Sprint at a time. Has autonomy regarding how to reach commitments. Intensely collaborative. Most successful when located in one team room. Most successful with long-term, full-time membership. Scrum moves work to a flexible learning team and avoids moving people or splitting them between teams. Typically 7 ± 2 members.

Answer 92

The PO is responsible for declaring which items are the most important to the business. The team is responsible for selecting the amount of work they feel they can implement without creating technical debt. If the top of the Product Backlog has not been refined, a major portion of the planning meeting should be spent doing this. The team breaks the selected items into an initial list of Sprint Tasks, and makes a final commitment to do the work. Most teams assume that the team members can only focus on Sprint-related work for about 5-6 hours per day. Collectively, the team and the PO define a sprint goal (to be reviewed in the next review meeting).

Answer 93

Most Product Backlog Items (PBIs) initially need refinement because they are too large and poorly understood. In the Backlog Refinement Meeting (backlog grooming), the Team takes a little time out of Sprint Execution to help prepare the Product Backlog for the next Sprint Planning Meeting. The team estimates the amount of effort they would expend to complete items in the Product Backlog and provides other technical information to help the PO prioritize them. Large vague items are split and clarified, considering both business and technical concerns. Sometimes a subset of the team, in conjunction with the PO and other stakeholders, will compose and split Product Backlog Items before involving the entire team in estimation.

Answer 94

Every day at the same time and place, the Team members spend about 15 minutes reporting to each other: *What did you do yesterday? What will you do today? Are there any impediments in your way? Standing up at the Daily Scrum will help keep it short. Topics that require additional attention may be discussed by whomever is interested after every team member has reported. The team may find it useful to maintain a current Sprint Task List, a Sprint Burndown Chart, and an Impediments List. Any impediments that are raised in the scrum meeting become the Scrum Master’s responsibility to resolve as quickly as possible.

Answer 95

The team holds a Sprint Review Meeting to demonstrate a working product increment to the PO and everyone else who is interested. The meeting should feature a live demonstration, not a report. After the demonstration, the PO reviews the commitments made at the Sprint Planning Meeting and declares which items she/he now considers done. Incomplete items are returned to the Product Backlog and ranked according to the PO’s revised priorities as candidates for future Sprints. It is the opportunity to inspect and adapt the product as it emerges, and iteratively refine everyone’s understanding of the requirements. New products, particularly software products, are hard to visualize in a vacuum. Many customers need to be able to react to a piece of functioning software to discover what they will actually want.

Answer 96

Each Sprint ends with a retrospective. At this meeting, the Team reflects on its own process. They inspect their behavior and take action to adapt it for future Sprints. An in-depth retrospective requires an environment of psychological safety not found in most organizations. Without safety, the retrospective discussion will either avoid the uncomfortable issues or deteriorate into blaming and hostility. A common impediment to full transparency on the Team is the presence of people who conduct performance appraisals.

Answer 97

70%, around 50% of the vulnerabilities that can be introduced during the implementation phase are consequences of design flaws. If you havent reviewed your code for security holes, the likelihood that your application has problems is virtually 100%.

Answer 98

Software development lifecycle, incremental development, security assurance, awareness and collaboration, security managment.

Answer 99

Security requirements elicitation activity is not included in the agile development methods. Risk assessment activity is not included in the agile development methods. Security related activities need to be applied for each development iteration. Iteration time is limited and may not fit time-consuming security activities.

Answer 100

Refactoring practice breaks security contraints. Continuous code changes makes completing the assurance activities difficult. Changes of requirements and design breaks system security requirements. Requirement changes makes the trace of the requirements to security objectives difficult.

Answer 101

Every sprint: input validation, dont use banned APIs, etc One-Time Only: establish response plan, upgrade compliers, etc Bucket: fuzzing, attack surface analysis, etc

Answer 102

SQL injection, Cross-site scripting, hidden-field tampering, eavesdropping, session hijacking, identity spoofing, information disclosure

Answer 103

Manual: line for line, but it is time consuming and depends on expertise. Automated: many static analysis tools on the market. Can look for known bugs.

Answer 104

A white box analysis approach. Passive scanning of application code without executing it. Analyzing software "at rest". Usually source code, but can also be bytecode or binary. Results can be in a report form.

Answer 105

Security assessment favors detailed documentation. Tests are, in general, insufficient to ensure the implementation of security requirements. Tests do not cover in general, all vulnerability cases. Security tests are in general difficult to automate. Continuous changing of the development processes conflicts with audit needs of uniform stable processes.

Answer 106

-Pre-sprint (tests and analysis); threat modeling, security defect list, patching and configuration management, metrics and policy management -Daily (tests): unit testing, security regression tests, manual code inspection or code review -Every sprint (commit tests): static analysis, dynamic analysis, component analysis -Additional Pre-deployment (tests): vulnerability assessment, penetration testing

Answer 107

1. Priority 2. Time pressure 3. Culture 4. Experience 5. Return on Investment Evaluation Informally Performed 6. Techincal dependencies 7. Business, developers and product owner's awareness

Answer 108

Security requirements are often neglected. Developers lack experience on secure software. Customers lack security awareness. Developer role must be separate from security reviewer role must be separate from security reviewer role to have objective results.

Answer 109

The developers focus on functional requirements, which is often seen as the "value" to the business. They should have more focus on security, risk oriented. The security officer is focused on requirements for security and vulnerabilities. Doesnt know when to be involved in the process. The tester is focused on functional testing, and is never given time to do non-functional testing. Usually has little knowledge on security testing.

Answer 110

It is a part of the SoS-agile project. It is a plugin to classify and rank security related issues. It classify issues as security related or not. Report the importance of the classification, provide feedback, support for continuous deployment, create awareness.

Answer 111

Security activities increase the cost of the software. There are no incentives for organizations to develop security features in early increments. Organizations compromise security activities to accommodate accelerated release schedule.

Answer 112

Tools help with the "low-hanging fruit" vulnerabilities. The best a code review tool can uncover is about 50% of security vulnerabilities. Tools can however miss business logic vulnerabilities and design flaws. Tools suffer from false negatives and false positivies. False negatives gives false sense of security, and false positvies increases workload for auditing.

Answer 113

It is part of the ISO/IEC 27xxx family of standards. Defines concepts and controls for an Information Security Management System (ISMS). Covers topics like information systems acquisition (anskaffelse), development and maintenance. Started out in the financial and banking sector. Common in IT operations. The concept of ISMS is referred to in an increasing number of laws and regulations (personal data act -> GDPR, office of the auditor general, eForvaltningsforskriftens §15)

Answer 114

Also known as Public company accounting reform and investor protection act. SOX er en føderal lov som revisjonsfirma må forholde seg til, men også alle andre som behandler elektroniske opptegnelser som har med regnskap og liknende omfattes av loven, og ergo må utviklere av denne typen programvare også forholde seg til den. SOX skal forhindre at uregelmessigheter slik man så i Enron feies under teppet, bl.a. ved å sørge for logging og revisjonsspor, og forhindre at slike data fjernes eller kommer urettmessige mottakere i hende.

Answer 115

Health insurance portability and accountability. Will apply to software that processes health information. Electronic protected health information. May be covered by GDPR, main difference may be focus, org vs consumer.

Answer 116

Systems that process credit card transactions need to satisfy the standard.

Answer 117

requirements that apply when developing payment card applications.

Answer 118

Common Criteria (CC) is an international set of guidelines and specifications developed for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments. In Norway SERTIT is the certification body.

Answer 119

Regularly back up files. Keep systems and applications updated. Enforce the principle of least privilege. Secure email gateways. Implement defense in depth. Foster a culture of security in the workplace.

Answer 120

Defining what level of security is expected from the system with respect to some type of threat. Different from choice of protection mechanisms, i.e. what you require, not how to achieve it. Enables us to evaluate different approaches to a need/problem while being open to different solutions.

Answer 121

What, not how. Understandability, clarity (not ambiguous). Cohesion (one thing per requirement). Testability. The application shall only serve a pre-defined set of pages. The application shall control what pages may be served to a user. Any third-party services that are part of the application shall be regularly updated.

Answer 122

Mix of white-hat and black-hat approach though more dominant on black-hat. Great way to have scenarios in attacker mindset. Similar to use case but more on systems behavior under attack. Ex: tampering attack, SQL injection, information leakage. Think about the software the same way that attackers do. Think about what motivates attackers. Pretend to be "malicious user". Systematically asking "what can go wrong here".

Answer 123

Use-cases that are added to deal with attacks are often candidates for security requirements. Misuse-cases are useful for identifying security requirements early in the development process and a good tool for communication for tech and non-tech people.

Answer 124

Security requirements are not shown in the attack tree but derived from attacks. What security measure for each attacks? Attack trees are useful for structure, resuability potential, scales well.

Answer 125

Three types of requirements: - Functional (functions that the system must perform) -Non-functional (properties system must have) -Derived (functional/non-functional req. implicit from stated requirements) Security not about features. It is about additional properties for each requirements (functional/non-functional).

Answer 126

Often requirements listed as "the system shall [do somethin] for given [inputs]" To develop anti-requirements: categorize all possible outcomes, rank in the order of severity, define the threshold acceptance tolerance, explore the inputs and determine the outcome for each. Undesirable outcomes from unexpected inputs

Answer 127

Secuirty Quality Requirements Engineering.. Developed by SEI. “Stepwise methodology for eliciting, categorizing and prioritization security requirements for information technology system and applications “

Answer 128

For ex. for web interface to find poor handling of program state. Black hat activity based on white hat approach. Very useful to validate risk analysis and mitigation plan. Gives a good understanding of fielded application in real environment. Test tools with unique approach to attack a system and look for security weaknesses. To gain access to systems. Testing for negatives. Driven by abuse cases and architectural risk analysis.

Answer 129

Although security issues often come as a surprise to the victim, they usually stem from intentional abuse in some way. Easy to test software functionally but very hard to show that an application is secure enough under a malicious attack. It is performed in a outside-in manner.

Answer 130

Too-little-too-late attempt at the end of a development cycle. Fixing the bugs/vulnerabilities may be very expensive and it is reactive and defensive instead of proactive and dynamic. Done without any basic security risk analysis leads to the "pretend security" problem with alarming consistency. Struggle to see overall picture.

Answer 131

It is a common failure to integrate the finding into the development process. Band-Aid solution wont help in the length, you need to analyse the root-cause. By using automatic test suites you can catch some of the low-hanging fruit early.

Answer 132

-Network services test: finding target systems on a network/system/OS -Client-side test: designed to find any exploit client-side software, such as browsers -Web Application test: targets web-based applications in the target environment -Remote/accessibility test: looks for any connection points in the target environment and includes password guessing to attempt connecting. -Wireless security test: targets the physical environment to find unauthorized wireless access points or insecure access points. -Social engineering test: attempts to take user accounts or impersonate targeted user

Answer 133

Bad testing is not testing all attributes of the attack surface, while good pen testing is comprehensive and looks at threat levels. Pen testing requires skill and expertise. Have to be careful not to cause damage, achieve the goal safely with as little impact as possible. Time and budget constraints. Failure to address business impact.

Answer 134

Mix of white-hat and black-hat approach. Driven by abuse cases. Has two strategies: testing of security functionality and risk-based security testing based on attack pattern. Making sure bad things dont happen. Security testing is based on software architecture, common attacks using attacker's mind set. Can be applied before the software complete. Focus on identified security risk like architectural risk analysis, abuse cases, attack patterns, threat model, overall system.

Answer 135

„Cryptography is the practise and study of techniques for secure communication in the presence of third parties”

Answer 136

It is a private key encryption (symmetric encryption) method first used by Julius Caesar. It is a type of substitution cipher where we shift every single letter in the plaintext with a fixed number of letters.

Answer 137

1. Brute-force attack 2. Frequency-analysis

Answer 138

There is no such thing as "a random number", cause how can we measure randomness? Entropy measures the amount of randomness within some random data. True random numbers: cosmic rays, quantum fluctuations, spray from crashing waves, people rushing to catch trains. Pseudo random number: the generator is a mathematical function or computer program that produces a number each time it is called. Cryptographically Secure Pseudorandom Number Generator (CSPRNG): forward and backward secure.

Answer 139

SecureRandom, CryptoRandom, NIST SP-800-90*, CTR-DRBG, HASH-DRBG, Fortuna

Answer 140

A mathematical function. Converts an input value into a compressed (fixed size) numerical value. Map data of arbitrary size to data of fixed size.

Answer 141

Hash functions have the avalanche property, meaning that the slightest change to the input will lead to a completely different output.

Answer 142

1. deterministic: it means that if we apply to same hash-function on the exact input then the output must be the same. 2. one-way: it is easy to generate the hash with the given hashing algorithm but on the it is extremely hard to restore the original input 3. collision-free: two different inputs will never share output 4. avalance effect

Answer 143

SHA2 or SHA3

Answer 144

Stroing passwords, integrity checks for files, digital signatures, git, blockchain

Answer 145

A salt is a random string which is appended to the password upon hashing. Users with the same password but different salts will have different hashes. Masks same passwords and prevents the usage of precalculated hash lists.

Answer 146

Need to prove authenticity of some message, as well as preserve integrity against an active attacker. Can use a Message Authentication Code (MAC). It is very similar to a cryptographic hash function, except for requiring a secret key for calculation.

Answer 147

MAC algorithms are part of symmetric cryptography. Both sides need to know the same key in advance. The key can be used to authenticate as well as verify messages. Consequently, a MAC can not be used to prove who created a message, because at least two parties have the ability to create a tag. This means MAC does not provide Non-Repudiation.

Answer 148

HMAC, key at least 16 bytes long, use a separate key for authentication and encryption.

Answer 149

Confidentiality, the property that only authorized entities may read the content of a message, can be achieved by encrypting the data.

Answer 150

A key K is used to transform a plaintext message P into a ciphertext C. This process is called encrypting or enciphering. The opposite process, decrypting or deciphering, uses the same key, and must yield the original plaintext.

Answer 151

Blockciphers and steam ciphers.

Answer 152

It is a symmetric-key algorithm and a block cipher. Has a Feistel-structure. Can brute-force to check all the possible values for the keys.

Answer 153

DES was no longer secure, therefore there was a need for another truly secure cryptosystem.

Answer 154

This algorithm is able to exchange private keys over a public channel. This approach is not for encryption or decryption but to securely exchange the private keys for symmetric cryptosystems. We are not sharing information during the key exhange.

Answer 155

To prevent a cipher from producing a deterministic output, all modern algorithms require a Nonce or Initialization Vector to be given. A piece of data that must be unique per key/message combination. Must be random. Should be transmitted in the clear alongside the ciphertext.

Answer 156

It guarantees integrity, confidentiality and authentication. It outputs an authentication tag alongside the ciphertext.

Answer 157

The private key must be exchange, causing a risk that someone may acquire the key during this process. Another problem is the number of private keys.

Answer 158

It can be used to distribute keys for asymmetric encryption/decryption, and to create a digital signature. Assures confidentiality, authenticity and non-repudiability. In a public key cryptosystem all the users have two keys: a public and a private key. The private key can decrypt a message that has been encrypted with the public key and vica versa.

Answer 159

Private key (symmetric cryptography) = want to make sure the ciphertext contains no information about the plain text. Use random numbers. Public key (asymmetric) = use trapdoor functions. Public key cryptosystems are about prime numbers

Answer 160

Equivalent to signing a document with your signature or a stamp. Mathematical method for verifying authenticity of a message or document. Gives a very strong reason to believe the message was created by a known sender (authentication). Also gives reason to believe a message was not altered in transit (integrity). Can also provide non-repudiation.

Answer 161

Designed to provide communication security over a network. Provides privaxy and data integrity in communications. Should have at least one of the following properties: - Connection is private because symmetric encryption is used to encrypt data transmitted. A shared secret key should be negotiated during the initial handshake of a session. - The identity of the communicating parties can be authenticated using public-key cryptography - generally required for at least one part, often the server - The connection is reliable because each message contains a MAC to prevent undetected loss or alteration of the data during transmission.

Answer 162

Continous Integration/Deployment A process of automating the steps required to get from a developer's computer to a production environment

Answer 163

The combination of software development and IT operations. It aims to shorten the systems development life cycle and provide continuous delivery with high software quality. CAMS- Culture, automation, measurement, sharing. 8 stages in the lifecycle

Answer 164

It is a philosophy of integrating security methods into a DevOps process.

Answer 165

Open source automation server which can be used to automate all sorts of tasks related to building, testing and deploying software. Checks regularly if there is a change in the code, if there is a failed build, if the build is successful

Answer 166

Helps developers find and fix vulnerabilities in their code. To scan for vulnerabilities in dependencies, libaraies, and frameworks. To montior for new vulnerabilities in dependencies. To create security policies to prevent vulnerable code from being deployed.

Answer 167

White-hat activity to defend overall system. Integrated security should include security operations. Have complete feedback mechanism should cycle back into development team. Plan for incident response. Be prepared for potential attacks by understanding software behaviors.

Answer 168

It is what we have to do when things go wrong. Have to designate the team, and ensure facilities are available.

Answer 169

You have to develop incident plan specific to your application. You need an on call/emergency contact list, centralized accessible artifact locations, reporting mechanism, a evidence handling process and a forensic analysis environment.

Answer 170

It is community-driven effort to create a framework of security requirements and controls, that focus on defining the functional and non-functional security controls required modern web applications and web services.

Answer 171

Two main goals: - to help organizations develop and maintain secure applications - to allow security service vendors, security tools vendors, and consumers to align their requirements and offerings

Answer 172

Level 1 - low assurance levels, it is completely penetration testable Level 2 - applications that contain sensitive data, which requires protection Level 3 - critical applications that perform high value transactions, contain sensitive medical data

Answer 173

Building Security In Maturity Model (BSIMM) is a study of current software security initiatives or programs. It quantifies the application security (appsec) practices of different organizations across industries, sizes, and geographies while identifying the variations that make each organization unique.

Answer 174

It is a measuring stick for software security. Can use BSIMM to compare your own initiative with what other organizations are doing. You can then identify goals and objectives of your own. Look to the BSIMM to determine which additional acitvities make sense for you.

Answer 175

It is a measuring stick for software security. Can use BSIMM to compare your own initiative with what other organizations are doing. You can then identify goals and objectives of your own. Look to the BSIMM to determine which additional acitvities make sense for you.