Lecture 12

Question 1

Data Breach

Answer 1

A confirmed incident in which sensitive, confidential, or otherwise protected data has been accessed or disclosed in an unauthorized fashion.

ex: PHI (personal health information), PII (personally identifiable information), trade secrets, intellectual property

Question 2

Security Concepts (AKA CIA Triad) (SC)

Answer 2

From top, right, left:

• Confidentiality: data is secured to authorized parties only
• Integrity: data is trusted
• Availability: data is accessible when and where needed

From left, right, bottom:

• Authenticity: components can prove their identity
• Non-repudiation: service provides a trusted audit trail
• Privacy: services does not automatically see customer data

Question 3

[SC] Authentication vs Authorization

Answer 3

• Authentication (1st): verifies who you are

- Authorization (2nd): decides if you have permissions to access a resource

Question 4

Top 10 Security Principles

Answer 4

• authenticate requests received on a network port
• follow principle of least privilege
• encrypt all credentials
• test by abusing
• assume no one else will secure it; validate it
• hard code no passwords, user ids, etc
• avoid security by obscurity/keep security simple
• understand 3rd party components
• EVERYONE IS RESPONSIBLE FOR SECURITY

Question 5

Security w/in an SDLC (S in SDLC)

Answer 5

Software security best practices involve explicitly thinking about the security situations throughout the SDLC.

• know and understand common risks
• design for security
• all software artifacts subject to thorough, objective risk analysis and testing
• security should be its own set of requirements for the app

Question 6

[Security Terms] Vulnerability

Answer 6

A weakness (in an information system, security system procedure, or implementation) that could be exploited/triggered.

Question 7

[Security Terms] Threat

Answer 7

A potential violation or security which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.

Question 8

[Security Terms] Threat Agent

Answer 8

An individual or group which can manifest a threat.

Question 9

[Security Terms] Asset

Answer 9

A major app, general support system, high impact project, physical plant, mission critical system, personnel, equipment, or a logically related group of systems.

Question 10

[Security Terms] Risk

Answer 10

(level of threat) * (level of vulnerability). Likelihood of a successful attack.

Question 11

[Security Terms] Countermeasure

Answer 11

Reactive methods use to prevent an exploit from successfully occurring once a threat has been detected.

ex: IPS (intrusion prevention systems), patches, access control lists, malware filters

Question 12

[Security Terms] Security Model

Answer 12

• Owners value ASSETS
• Owners wish to minimize RISK to ASSETS
• Owners impose COUNTERMEASURES to reduce RISK to ASSETS
• Owners impose COUNTERMEASURES that may possess VULNERABILITIES leading to RISK to ASSETS
• Threat agents wish to abuse and/or damage ASSETS
• Threat agents give rise to THREATS to ASSETS
• Threat agents give rise to THREATS that exploit VULNERABILITIES leading to RISK to assets
• Threat agents give risk to THREATS that increase RISK to ASSETS

Question 13

Application Threat Modeling [ATM]

Answer 13

An structured approach for analyzing the security of an application that enables you to identify, quantify, and address the security risks with an application.

Question 14

[ATM] Process

Answer 14

1) Identify Assets
2) Create an Architecture Overview
3) Decompose the Application
4) Identify the Threats
5) Document the Threats
6) Rate the Threats

Question 15

Security Design Practices

Answer 15

• earn/give, but never assume, trust
• authentication mechanism that can’t be bypassed/tampered with
• authorize after you authenticate
• explicitly validate ALL data (client-side and server-side)
• external 3rd party components change your attack surface

Question 16

Security Testing [ST]

Answer 16

A type of software testing that intends to uncover vulnerabilities of the system and determine that its data and resources are protected from intruders.

Question 17

[ST] of an Application Component (AST)

Answer 17

• Network
• System Software
• Client-side
• Server-side

Question 18

[AST] Static vs Dynamic

Answer 18

STATIC

• White box
• Analyzes source code of binaries
• Covers all execution paths
• Finds vulnerabilities early in SDLC (analysis/design/coding phases)

DYNAMIC

• Black box
• Requires running application
• Testing with pre-defined test data sets
• Finds vulnerabilities later in SDLC (integration/systems phases)

Question 19

[AST] Coverage

Answer 19

STATIC (N.I.C.T)

• null pointer dereference
• insecure crypto issues
• code quality issues
• threading issues

DYNAMIC (B.A.R.S)

• business logic vulnerabilities
• authentication issues
• runtime privilege issues
• session management issues

BOTH (S.X.X.L.H.B)

• SQL Injection
• XSS Injection
• XPATH injection
• LDAP injection
• HTTPS Responses Splitting
• Buffer Overflows

Question 20

[ST] Principles

Answer 20

• think strategically, not tactically (patch and penetrate model w/out proper investigation of the root cause is ineffective)
• integrate security into each phase of the S.D.L.C.
• test early and test often
• think outside the box

Question 21

[ST] Techniques

Answer 21

• manual inspections and reviews
• threat modeling
  (helps system designers to think about the security threats that their sys/app faces)
  (enables designer to develop mitigation strategies for potential vulnerabilities)
• code review
• penetration testing: remotely testing an app to find vulnerabilities without knowing apps inner workings