OWASP principles and security audits

Question 1

What does ‘minimize attack surface area’ mean?

Answer 1

Reducing all the potential vulnerabilities that a threat actor could exploit.

Question 2

What is the principle of least privilege?

Answer 2

Users should have the least amount of access required to perform their everyday tasks.

Question 3

What is defense in depth?

Answer 3

Organizations should have varying security controls that mitigate risks and threats.

Question 4

What is separation of duties?

Answer 4

Critical actions should rely on multiple people, each of whom follow the principle of least privilege.

Question 5

What does ‘keep security simple’ mean?

Answer 5

Avoid unnecessarily complicated solutions, as complexity makes security difficult.

Question 6

What does ‘fix security issues correctly’ involve?

Answer 6

When security incidents occur:

Identify the root cause
Contain the impact
Identify vulnerabilities
Conduct tests to ensure successful remediation

Question 7

What does ‘establish secure defaults’ mean?

Answer 7

The optimal security state of an application should be its default state for users; it should take extra work to make the application insecure.

Question 8

What does ‘fail securely’ mean?

Answer 8

When a control fails or stops, it should default to its most secure option. For example, a failing firewall should block all connections rather than accept everything.

Question 9

What does ‘don’t trust services’ mean?

Answer 9

Organizations shouldn’t explicitly trust that their third-party partners’ systems are secure, even when working together.

Question 10

What is ‘avoid security by obscurity’?

Answer 10

The security of key systems should not rely on keeping details hidden. Security should depend on factors like password policies, defense in depth, and solid network architecture.

Question 11

What should be included when identifying the scope of an audit?

Answer 11

The audit should:

List assets to be assessed
Note how the audit will help achieve organizational goals
Indicate audit frequency
Include evaluation of organizational policies, protocols, and procedures

Question 12

What are examples of assets that should be assessed in an audit?

Answer 12

Examples include:

Firewall configurations
PII security
Physical asset security
Implementation of organizational policies

Question 13

What is a risk assessment in an audit?

Answer 13

An evaluation of identified organizational risks related to:

Budget
Controls
Internal processes
External standards and regulations

Question 14

What happens during the audit conducting phase?

Answer 14

You assess the security of the identified assets listed in the audit scope.

Question 15

What is a mitigation plan?

Answer 15

A strategy established to:

Lower the level of risk
Reduce potential costs and penalties
Address issues that can negatively affect the organization’s security posture

Question 16

What should be included in the final stakeholder communication?

Answer 16

A detailed report containing:

Findings
Suggested improvements to lower organizational risk
Compliance regulations and standards the organization needs to follow