Secure Development

Question 1

What is Threat Modeling?

Answer 1

Threat modeling helps to prioritize vulnerability and patching throughout the software development lifecycle

Question 2

When should security considerations be programmed into software?

Answer 2

At the very beginning of development

Question 3

What is the concept of least privilege?

Answer 3

Users and processes should be given the least amount of access necessary to perform a function

Question 4

What is defense in depth?

Answer 4

Layering of security controls

Question 5

Should you trust user input?

Answer 5

NO - all user input must be validated

Question 6

How would you minimize the attack surface when developing software?

Answer 6

Reduce the amount of code necessary, eliminate unneeded functionality and require authentication prior to running additional plugins

Question 7

What is a secure default?

Answer 7

Default configurations on a program that are inherently secure rather than requiring an administrator to add in the additional security

Question 8

Why should developers use code signing?

Answer 8

For authenticity and integrity purposes

Question 9

What is meant by “Fail Securely?”

Answer 9

Applications should be coded to properly conduct error handling to fail securely instead of crashing

Question 10

What is black box testing?

Answer 10

When a tester is not provided with any information about the program prior to conducting the test

Question 11

What is white box testing?

Answer 11

When a tester is given info about the program prior to testing

Question 12

What is gray box testing?

Answer 12

A mixture of white and black box where some info is given

Question 13

• Testing
• Integration
• Planning and Analysis
• Maintenance
• Deployment
• Software Design
• Implementation

Put these steps of the software development cycle in the correct order….

Answer 13

1. Planning and Analysis
2. Software/Systems Design
3. Implementation
4. Testing
5. Deployment
6. Maintenance

Question 14

What is SEH in secure software development?

Answer 14

Structured Exception Handling - provides control over what the app should do when it handles an error

Question 15

What is static analysis in SDLC?

Answer 15

Reviewing code manually without automatic tools and without running the program

Question 16

What is dynamic analysis in SDLC?

Answer 16

Analysis and testing of a program while executing or running it

Question 17

What is fuzzing in SDLC?

Answer 17

Injection of random data into a program in an attempt to find system failures and other weaknesses

Question 18

What is a back door?

Answer 18

Code placed in programs that bypasses normal authentication and security mechanisms

Question 19

What is arbitrary code execution?

Answer 19

When an attacker is able to execute or run commands on a victim’s computer

Question 20

What is RCE?

Answer 20

Remote code execution - attacker is able to execute commands remotely

Question 21

Explain stored/persistent XSS

Answer 21

An attempt to get data provided by the attacker stored on the web server by the victim

Question 22

Explain reflected XSS

Answer 22

When a malicious script is reflected off of a web application to the victim’s browser. The script is activated through a link, which sends a request to a website that enables execution of malicious scripts.

Question 23

Explain DOM-Based XSS

Answer 23

An attempt to exploit the victim’s web browswer

Question 24

What is XSRF?

Answer 24

Cross Site Request Forgery - when an attacker forces a user to execute actions on a server for which they are already authenticated

Question 25

How would you prevent XSRF?

Answer 25

Using session tokens, encryption, XML file scanning and cookie verification

Question 26

The process of removing redundant entries from a database is known as: sanitization or normalization

Answer 26

Normalization

Question 27

The process of removing redundant entries from a database is known as:

Answer 27

Normalization

Question 28

What are the countermeasures against SQL injection attacks?

Answer 28

Input Validation, Stored Procedures

Question 29

A type of redundant source code producing an output not used anywhere in the application is commonly referred to as

Answer 29

Dead Code

Question 30

What refers to the concept of virtualization on an application level?

Answer 30

Containerization

Question 31

What type of computing would be best suited for situations where response time in data processing is of critical importance?

Answer 31

Edge Computing

Question 32

The practice of finding vulnerabilities in an application by feeding it incorrect input is called:

Answer 32

Fuzzing

Question 33

What is an automated or manual code review process aimed at discovering logic and syntax errors in the application’s source code

Answer 33

Static Analysis