Section 10 Secure Software Development

Question 1

1. Planning and analysis
2. Software/Systems Design
3. Implementation
4. Testing
5. Integration
6. Deployment
7. Maintenance

Answer 1

SDLC Phasing

Question 2

Software development is performed in time boxed or small increments to allow more adaptivity to change.

Answer 2

Agile

Question 3

Software development and information technology operations.

Answer 3

Dev Ops

Question 4

Applications should be deployed using code signing to ensure the program is not changed inadvertently or maliciously prior to delivery to an end user.

Answer 4

Authenticity and Integrity

Question 5

Layering of security controls is more effective and secure than relying on a single control.

Answer 5

Defense in Depth

Question 6

Any input that is received from a user should undergo input validation prior to allowing it to be utilized by an application.

Answer 6

Never Trust User Input

Question 7

Users and processes should be run using the least amount of access necessary to perform a given function.

Answer 7

Least Privilege

Question 8

Default installations should include secure configurations instead of requiring an administrator or user to add in additional security.

Answer 8

Secure Defaults

Question 9

Applications should be coded to properly conduct error handling for exceptions in order to fail securely instead of crashing.

Answer 9

Fail Security

Question 10

If a vulnerability is identified, then it should be quickly and correctly patched to remove the vulnerability.

Answer 10

Fix Security Issues

Question 11

SDK’s must come from trusted sources to ensure no malicious code is being added.

Answer 11

Rely on Trusted SDK’s

Question 12

Occurs when a tester is not provided with any information about the system or program prior to conducting the test.

Answer 12

Blackbox Testing

Question 13

Occurs when a tester is provided full details of a system including the source code, diagrams, and user credentials in order to conduct the test.

Answer 13

Whitebox Testing

Question 14

A mix of blackbox and whitebox testing where the tester is given some amount of information about he system, but conducts his testing as if he doesn’t have full access to it.

Answer 14

Graybox Testing

Question 15

Provides control over what the application should do when faced with a runtime or syntax error.

Answer 15

Structured Exception Handling (SEH)

Question 16

Application verify that information received from a user matches a specific format or range of values.

Answer 16

Input Validation

Question 17

Source code of an application is reviewed manually or with automatic tools without running with code.

Answer 17

Static Analysis

Question 18

Analysis and testing of a program occurs while it is being executed or run.

Answer 18

Dynamic Analysis

Question 19

Injection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper input validation.

Answer 19

Fuzzing

Question 20

Code placed in computer programs to by pass normal authentication and other security mechanisms.

Answer 20

Backdoors

Question 21

Method of accessing unauthorized directories by moving through the directory structure on a remote server.

Answer 21

Directory Traversal

Question 22

Occurs when an attacker is able to execute or run commands on a victim computer.

Answer 22

Arbitrary Code Execution

Question 23

Attack against a vulnerability that is unknown to the original developer or manufacture.

Answer 23

Zero Day

Question 24

Occurs when a process stores data outside the memory range allocated by the developer.

Answer 24

Buffer overflow

Question 25

A temporary storage area that a program uses to store data.

Answer 25

Buffer

Question 26

Reserved area of memory where the program saves the return address when a function call instruction is received.

Answer 26

Stack

Question 27

Occurs when an attacker fills up the buffer with NOP so that the return address may hit a NOP and continue on until it finds the attacker’s code to run.

Answer 27

“Smash the Stack”

Question 28

Method used by programmers to randomly arranges the different address spaces used by a program or process to prevent buffer overflow exploits.

Answer 28

Address Space Layout Randomization

Question 29

Occurs when an attacker embeds malicious scripting commands on a trusted website.

Answer 29

Cross-site Scripting (XSS)

Question 30

1. Stored/Persistent
2. Reflected
3. DOM-Based

Answer 30

3 Types of XSS

Question 31

Attempt to exploit the victim’s web browser.

Answer 31

Document Object Model (DOM) - based

Question 32

Occurs when an attacker forces a user to execute actions on a web server for which they are already authenticated.

Answer 32

Cross-site Request Forgery (XSRF/CSRF)

Question 33

Attack consisting of the insertion or injection of an SQL query via input data from the client to a web application.

Answer 33

SQL Injection

Question 34

Insertion of additional information or code through data input from a client to an applicaiton.

Answer 34

Injection Attack

Question 35

1. SQL
2. HTML
3. XML
4. LDAP

Answer 35

Common Injections

Question 36

XML encodes entities that expand the exponential sizes, consuming memory on the host and potentially crashing it.

Answer 36

XML Bomb (Billion Laughs Attack)

Question 37

An attack that embeds a request for a local resource.

Answer 37

XML External Entity (XEE)

Question 38

A software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing it points to.

Answer 38

Dereferencing

Question 39

A software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and these events fail to execute in the order and timing intended by the developer.

Answer 39

Race condition

Question 40

The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.

Answer 40

Time of Check to Time of Use (TOCTTOU)

Question 41

Any program that does not properly record or log detailed enough information for an analyst to perform their job.

Answer 41

Insufficient Logging and Monitoring