Section 10 - Secure Software Development

Question 1

To try and counteract the complexity of our software development, many models and methods have been introduced, the most common of which is known as…?

Answer 1

SLDC

Software Development Life Cycle

Question 2

What is SLDC?

Answer 2

An organized process of developing a secure software application throughout its life cycle throughout the project.

*** This process covers everything - from the initial idea of the software, through its coding and testing, and even into its deployment and retirement.

Question 3

SLDC is based on a generic ___ model of development.

Answer 3

Waterfall

Question 4

How does the waterfall model of development work?

Answer 4

Each phase of life cycle is broken down into smaller portions. As each one is finished, the next one has begun.

The reason this model is termed with the “Waterfall” is that information and the software product itself flows from the top stage all the way down to the bottom stage, getting more developed as it progresses downward. Visually, this looks like a waterfall.

Question 5

What are the seven phases of SLDC?

Answer 5

1. Planning and Analysis
2. Software or Systems Design
3. Implementation
4. Testing
5. Integration
6. Deployment
7. Maintenance

Question 6

What happens during the first phase of SLDC?

Answer 6

Planning and Analysis

During this stage, the goals of the software project are determined, the stakeholder needs are assessed, and all of the high-level planning work is conducted.

*** This is where things go from a rough idea that someone has into a more formalized and well developed concept

Question 7

What happens during the second phase of SLDC?

Answer 7

Software or Systems Design

The application or system is defined, outlined, and diagrammed in detail.

*** This is where we focus on the overarching inputs and outputs of each function that are going to make up the final software that’s going to be released to our customer.

Question 8

What happens during the third phase of SLDC?

Answer 8

Programmers will begin to code of all the various functions that are needed for the final product.

As each piece of code is developed, the programmers will conduct some basic debugging and testing to ensure that its functionality is working properly.

Question 9

What happens during the fourth phase of SLDC?

Answer 9

Formalized Testing

During this stage we get the code and check it through a myriad of different testing methodologies.

Question 10

What happens during the fifth phase of SLDC?

Answer 10

The application of systems is integrated into the larger network environment.

Whereas in phase four we focus on testing the individual application or system, in phase five we focus on testing the end-to-end service to ensure that all of the pieces and all of the parts can communicate effectively and correctly.

Question 11

What happens during the sixth phase of SLDC?

Answer 11

Deployment

The application or system will be moved into the production environment where your customers and your end users can now utilize it.

*** This is the phase that allows real work to be done using your new software application.

Question 12

What happens during the seventh phase of SLDC?

Answer 12

Maintenance

Programmers are now focused on bug fixes, patches and updates to the version of the software that you’re going to end up using. In addition, your service desk focuses on helping users understand how to use your program.

Question 13

When we discuss maintenance of the software, two very important concepts are…?

Answer 13

Version Control

Configuration Management

*** This will ensure that as you update or fix a problem in your baseline configuration, you have a way to identify what is the newest version and what is the older version. This is also where we determine when software is outdated, old and may need to be retired.

Question 14

What is the common way that companies show the newest version of their product?

Answer 14

A numbering scheme that consists of major, minor and build version numbers.

For example, if you’re running Windows 10.0.12425 then:
10 - major version
0 - minor version
12425 - build number

Question 15

As opposed to the waterfall model of development, there is a new model rising in popularity. This is known as…?

Answer 15

Agile Development

Question 16

How does Agile Development work?

Answer 16

Software development is performed in time-boxed or small increments to allow it to be more adaptive to changing requirements.

*** In this model, you still perform most of the phases that make up the Waterfall method but the difference is that you do them much quicker.

Question 17

The waterfall method doesn’t support…?

Answer 17

Rapid development or rapid changes

In addition, you cannot add additional features until the initial product was already delivered.

** It takes 6 to 12 months to get from the first planning phase all the way to the seventh phase. Any changes would require you to go back in an earlier stage and continue down the Waterfall again.

Question 18

Agile development projects work in what kind of time frame?

Answer 18

Two to four week time periods known as “sprints”

*** This is due to releasing smaller product portions more quickly and more often, and at the end of every sprint something has to be released.

Question 19

What is “DevOps”?

Answer 19

DevOps is a term created from the words development and operations.This is a way of conducting business where the software developers an the IT operations personnel work closely together to speed up the development and deployment of the applications and to get things out to the end user quicker.

Question 20

What are the three tenets of the CIA triad?

Answer 20

Confidentiality
Integrity
Availability

Question 21

What does the “C” of the CIA triad mean?

Answer 21

Confidentiality

Ensures that only authorized users can access the data being processed by an application. The most common way of ensuring confidentiality is to include the use of encryption to maintain the secrecy of the data being stored.

Question 22

What does the “I” of the CIA triad mean?

Answer 22

Integrity

Integrity is focused on ensuring the data is not modified or altered without permission.The two main ways that we do this as developers is by utilizing hash algorithms as a method of integrity check for the data or by using journaling and logging functions to create audit trail showing the integrity of the data has not been compromised.

Question 23

What does the “A” of the CIA triad mean?

Answer 23

Availability

When developers are attempting to ensure availability, they’re focused on ensuring that the data is available to authorized users when it’s needed. The most common way of doing this is by creating redundancy in the overall system design, by ensuring their software code is error-free, or by ensuring that their software can conduct error handling appropriately to prevent crashes.

Question 24

What secure coding practices should our programmers use during development?

Answer 24

• Least Privilege
• Defense in Depth
• Never trust user input - Any input that’s received from a user should always undergo input validation prior to allowing an application to use it. Proper input validation can stop a lot of different types of attack including SQL injections, buffer overflows, and more.
• Minimize our attack surface in our applications and our systems - This means that we should always reduce the amount of code used by a program, we should eliminate unneeded functionality, and we should also require authentication prior to running any additional plugins.
• Create secure defaults - Most of the time, our users are going to accept the default installation configurations.This can lead to insecurities in our systems.Therefore, developers should always ensure the default installation includes secure configurations by default and then requires an administrator or a user to lessen those secure defaults if they want to remove the security.
• Whenever you’re deploying your applications, you should always use code signing to ensure that the program has not been changed either inadvertently or maliciously prior to its delivery to your end users - By using digital signatures as part of your code signing, you’re enabling the end user to see that the program was authentic and it maintains the integrity throughout its lifecycle.
• Ensure code is developed to fail securely - By ensuring that your application is coded to properly conduct error-free handling exceptions, they can fail securely instead of crashing or being exploited by an attacker. Again, input validation here will go a long way in helping your programs fail securely instead of just crashing.
• Fix security issues - If the vulnerability is identified, it should quickly be corrected and patched to remove that vulnerability from your application or system.
• Rely on trusted SDKs and third-party libraries -

Question 25

What is “Least Privilege”?

Answer 25

Least privilege means that user or processes should be run using the least amount of access necessary to perform the given function.

Does your application require administrative permissions to run? If so, why?

Developers should always try to use the lowest permission level when they’re performing a function. So whenever it’s possible, the program should be run as a user-level person instead of an administrator or root-level one.

Question 26

What is “Defense in Depth”?

Answer 26

Defense in depth occurs when you layer security controls to create a more effective and secure application or system than would be possible if you relied on a single control.

Question 27

What is an “SDK”?

Answer 27

An SDK is a Software Development Kit and it allows a programmer to reuse code from other programmers in order to save them time and effort. Essentially, we are reusing somebody else’s code inside your own applications.

For example, if you’re developing a new Windows application, there’s no reason for you to code your own function to open a file on the hard drive. This function exists in almost every program out there. So, there’s a software development toolkit that provides this function along with many other file input and output functions. The same holds true for third-party libraries.

Question 28

What are the three types of system testing that a security analyst might use?

Answer 28

Black Box Testing
White Box Testing
Gray Box Testing

Question 29

What is “black box testing”?

Answer 29

Black-box testing occurs when a tester is not given any information about the system or program before beginning their test.

Question 30

What is “white box testing”?

Answer 30

In white-box testing, the tester is given the details of the inner workings of the program or system. This may even include access to the full source code of that program, diagrams of the system, user access credentials, logons, and more.

Question 31

What is “gray box” testing?

Answer 31

This is a mixture of black-box and white-box where the tester is given some amount of information about the system and conducts his testing as if he doesn’t have full access to it.

Question 32

What is a “runtime error”?

Answer 32

If the program is running when the error occurs, the error is known as a runtime error.

Question 33

What is a “syntax error”?

Answer 33

If the program fails to run because of a coding error, this is known as a syntax error.

Question 34

The most common type of error in programming is…?

Answer 34

When a programmer doesn’t put the proper syntax expected by that programming language, such as leaving out a closing parenthesis or missing a semicolon inside their code.

Question 35

What is “input validation”?

Answer 35

Input validation simply means that programmers have written code that validates the information being received from the user and ensuring that it matches a specific format or a range of values.

Question 36

Another aspect of system testing is to consider how are you going to test the code itself. How can this be achieved?

Answer 36

Static Analysis
Dynamic Analysis

Question 37

What is “static analysis”?

Answer 37

Static analysis occurs when the source code of a program is available for analysis. Static analysis is conducted by somebody who understands the language the program is written in and they can analyze the code for errors. These types of static analysis reviews can also be aided by the use of automation software to check for known vulnerabilities and bring them to the attention of a skilled programmer or analyst. During a static analysis, the software’s code is not run but it’s simply read to find those errors. Think of static analysis as your third-grade English teacher looking over your essay and marking it up with a red pen to show you all of your errors.

Question 38

What is “dynamic analysis”?

Answer 38

Dynamic analysis, on the other hand, is performed on a program while it’s being run.

Question 39

What is the most common type of dynamic analysis?

Answer 39

Fuzzing, also known as a fuzz test, involves using a software program to insert randomized data in an attempt to find vulnerabilities.

Fuzzing is used to determine possible system failures, memory leaks, error handling issues, and improper input validation as well. This type of testing works just like the earlier example where we tried to enter some letters in as our social security number, but fuzzing tries to enter lots and lots of randomized sequences to find any vulnerabilities or errors that it can.

Fuzzing can occur on more than just a single program, but it also can be used on an entire network or system.

Question 40

What are “backdoors”?

Answer 40

Backdoors consist of software code that’s been placed in computer programs to bypass our normal authentication and other security mechanisms. These are often created by developers themselves in order to make it easier for them to update custom programs in the future.

Question 41

What is “directory traversal”?

Answer 41

A directory traversal is a method of accessing unauthorized directories by moving through the directory structure on a remote server.

For example, normally, you could access our website by going to www.diontraining.com. Or, you might access it by going to a dynamic sub-page like diontraining.com/menus, or something like that. If you wanted to attempt a directory traversal, you’re going to have to add something to the directory path that has an input variable inside the URL. Something like menu=../../../../etc/password. This attempts to move up four levels through the directory structure from the web server’s public folder into its root folder and then back down into the etc folder and then attempts to access the password file. If this was successful, the text-based password file would be displayed inside your web browser.

For the Security+ exam, anytime you see that there’s a series of ../ in them, you know that this is most likely a directory traversal and it’s being used as part of an exploit.

Question 42

What is “arbitrary code execution”?

Answer 42

Arbitrary code execution occurs when an attacker is able to execute or run commands on a victim computer. This might occur if someone walks by your desk at work, sees you’re logged into the computer, but you’re away from your desk.They start running a program on your computer. This would be classified as an arbitrary code execution.

Question 43

What is RCE?

Answer 43

Remote Code Execution

A specialized type of arbitrary code execution.

A remote code execution occurs when the attacker is able to execute or run commands on a remote computer. Notice the key difference here between an arbitrary and a remote code execution. With a remote code execution, the attacker can run the commands remotely, such as through an interactive shell session or some other kind of attack.

Question 44

What is a “zero day exploit”?

Answer 44

This is an attack against a vulnerability that is unknown to the original developer or manufacturer.

Question 45

What is a “buffer overflow exploit”?

Answer 45

A buffer overflow occurs when a process in a program stores data outside the memory range allocated by the developer.

Let’s pretend that you have a glass sitting on a table. It can hold a certain amount of water, right? If it’s designed to hold 16 ounces of liquid, but you pour 20 ounces in, well, the cup is going to overflow with water and the table is going to get wet. In this example, the glass is our buffer, and when we overflow it with our data, in our case water, the extra is going to spill out onto the table and make a huge mess. Buffer overflows in the IT world can also create a big mess for us.

Now, if an attacker places too much information into the stack or changes the value of that return pointer, they can carry out an attack. This is what they’re attempting to do with a buffer overflow, they’re attempting to overwrite the return address of the pointer so that it will point to a different place in the stack where they’ve placed their malicious code.That way when the non-malicious code is run and hits the return pointer, it’s going to return to the attacker’s malicious code.

Question 46

What exactly is a “buffer”?

Answer 46

Well, a buffer is simply a temporary storage area that a program uses to store its data.

Question 47

85% of data breaches were caused by a ___ ___ attack being used as the initial attack vector.

Answer 47

buffer overflow

Question 48

What is a “stack”?

Answer 48

A stack is a reserved area of memory where the program saves the return address when a function call instruction is received.

Question 49

What is “smashing the stack”?

Answer 49

This occurs when an attacker fills up the buffer with a NOP (non-operation instruction) so that the return address may hit one of these NOPs and continue on until it finds the attacker’s code and runs it.

After successfully completing a buffer overflow attack, non-malicious code is run and hits the return pointer and returns the attack’s malicious code, such as the /bin/shell code. This is going to give them a shell or a command prompt on the victim system where they can then perform a remote code execution using that shell.

Question 50

When a series of NOPs is hit by a non-malicious program, because the attacker’s filled up the buffer with NOPs and a return address to his malicious code, this is known as a…?

Answer 50

NOP slide

Question 51

The ___ ___, essentially, is an instruction that tells it to do nothing and simply go to the next instruction and it will continue to do this and slide down until it hits that final return pointer which causes the program to branch over to that memory address.

Answer 51

NOP instruction

Question 52

One of the mitigations against a buffer overflow attack is the use of…?

Answer 52

Address Space Layout Randomization

ASLR

Question 53

What is ASLR?

Answer 53

This is a programming technique that helps prevent an attacker’s ability to guess where the return pointer for a non-malicious program has been set to call back by randomizing the memory address used by well known programs, such as parts of the operating system.

Question 54

For the security+ exam, all you need to remember about buffer overflow attacks is…?

Answer 54

That it is used to put more data into memory than it’s designed to hold.

The intent here is to overflow the buffer for the non-malicious program in an effort for the attack to be able to get their malicious program into memory and allow it to be run.

Question 55

What are two types of exploits that apply to web application vulnerabilities?

Answer 55

Cross-site scripting

Cross-site request forgery

Question 56

This occurs when an attacker embeds malicious scripting commands into a trusted website.

Answer 56

Cross-site scripting

*** When this occurs, the attacker is trying to gain elevated privileges, steal information from the victims cookies, or gain other information stored by the victim’s web browser.

During this attack, the victim is user, not the web server. The server has already been compromised. This exploits the trust that exists between a user’s web browser and the web server that they’re using. This happens because the attacker is able to insert some malicious code into a web page that’s being delivered from the server to the victim/client.

Question 57

What are the different types of cross site scripting attacks?

Answer 57

Stored and Persistent
Reflected
DOM-based

Question 58

This type of cross site scripting attack attempts to get data provided by the attacker to be saved on to the web server by the victim.

Answer 58

Stored and Persistent

Question 59

This type of cross site scripting attack attempts to have a non-persistent effect which is activated by the victim clicking on a link on that site.

Answer 59

Reflected

Question 60

This type of cross site scripting attack attempts to exploit the victims web browser itself and it’s often called a client side cross site scripting attack.

Answer 60

DOM-based

Question 61

What does “DOM” stand for?

Answer 61

Document Object Model

Question 62

What are some ways to protect against cross site scripting attacks?

Answer 62

1. Programmers should use output encoding of their web applications to prevent codes from being injected into them during delivery
2. Programmers should also use proper input validation to prevent the ability for HTML tags to be inserted by users when they’re entering information on a web form.
3. As a user, increase the security settings from your cookie storage and disable scripting languages when browsing the web.

Question 63

This attacks focuses on exploiting the trust that a website has in a user.

Answer 63

Cross Site Request Forgery

*** In this, the attacker forces the user to execute actions on a web server that they already have been authenticated to do. Like logging back into your bank account once you’ve authenticated into it.

Question 64

What does “SQL” stand for?

Answer 64

Structured Query Language

AKA Sequel

Question 65

This is the way that a web application communicates to a database server to ask for information.

Answer 65

SQL

*** This is the language used to communicate with the databases

Question 66

This is an attack consisting of the insertion or injection of an SQL query via input data form that the client sends to the web application.

Answer 66

SQL Injection

*** This is just a specific type of code injection

Question 67

A ____ ____ ____ is the insertion of additional information or code through data input from a client to an application.

Answer 67

generalized injection attack

Question 68

What are the most common types of code injection?

Answer 68

SQL - the most common of all
HTML
XML
LDAP

Question 69

For the sec+ exam, any time you see a question that shows something like “1=1” or any other statement that will always return a true value, it’s going to be an..?

Answer 69

SQL Injection

*** This could be anything, like 7=7, or 123=123. If the values are the same, it’s going to be SQL injection.

Question 70

What is the best way to avoid SQL injection?

Answer 70

Perform input validation

Question 71

What does “XML” stand for?

Answer 71

Extensible Markup Language

Question 72

This is used by web applications for authentication and authorizations and for other types of data exchange and uploading.

Answer 72

XML

*** On the exam, this could be called any of the following three names:

XML Vulnerabilities
XML Exploitation
XML Injection

Question 73

This kind of data itself has to be submitted from you to the server or from one server to another.

Answer 73

XML data

** When dealing with XML data, make sure that it’s submitted with encryption or input validation. If you do not, it will be vulnerable to spoofing, request forgery, and injection of arbitrary code.

Question 74

What are some of the exploits that you can have with XML?

Answer 74

XML Bomb (Billion Laughs Attack)

XML XXE

Question 75

This is where XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it.

Answer 75

XML Bomb
(Billion Laughs Attack)

*** This is very similar to a denial of service attack.

Question 76

This is an attack that embeds a request for a local resource.

Answer 76

XML XXE

*** This is very similar to a file inclusion.

In a line of code, you can tell what this looks like by seeing “xml” and “file:///etc/shadow”

Question 77

What does “XXE” stand for?

Answer 77

External Entity

Question 78

How do you prevent XML vulnerabilities from being exploited?

Answer 78

Proper input validation

Question 79

Remember that XML code can often look a lot like HTML code or it might look like Javascript. The big difference is that when you’re dealing with HTML or Javascript, there are…?

Answer 79

Defined keywords for each of those bracketed entries whereas with XML you can make those say anything you want.

Question 80

Take a second to identify which code applies to XML and HTML:

1. Font, image, or href
2. Questions, ID, type, element entity.

Answer 80

1 = HTML
2 = XML

Question 81

What is a “race condition”?

Answer 81

A software vulnerability that occurs when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. And those events failed to execute in the order and timing intended by the developer.

*** Essentially, the computer is trying to race itself. So you’re trying to do something legitimately and the attacker is trying to do something at the same time and they can get in before you, they have now taken advantage of this race condition to be able to run their thing before you can run yours.

Question 82

This is found when there are multiple threads attempting to write a variable or object at the same memory location at the same time.

Answer 82

Race Condition Vulnerability

Question 83

What are some ways that a race condition can occur?

Answer 83

Dereference (no-pointer dereference exploit)

Question 84

This is a software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing that that pointer is pointing to in memory.

Answer 84

Dereference

Question 85

Why are race conditions difficult to detect and mitigate?

Answer 85

If the attacker can race in and get there before the antivirus can take holder, it doesn’t realize you’re doing something wrong.

Question 86

What are three main types of design vulnerabilities?

Answer 86

Insecure Components

Insufficient Logging and Monitoring

Weak or Default Configurations

Question 87

What does it mean to have an “insecure component”?

Answer 87

Any code that’s used or invoked outside of the main program development process.

For example, using code resuse which is just copy and pasting code from one application to another without knowing if it’s secure beforehand.

Question 88

What does it mean to have “insufficient logging and monitoring”?

Answer 88

Any program that does not properly record or log detailed enough information for an analyst to perform their job when there’s incident that happens.