Secure Software Development

Question 1

is an organized
process of developing
a secure application
throughout the life of
the project

Answer 1

SDLC Software Development Life Cycle

Question 2

Helps prioritize vulnerabilty identification and patching

Answer 2

Threat modeling

Question 3

Users and processes should be run using the least amount of access necessary to perform a given information

Answer 3

Least Privilege

Question 4

Layering of a security controls is more effective and secure than relying on a single control.

Answer 4

Defense in Depth

Question 5

Occurs when tester is not provided with any information about the system or program prior to conducting the test

Answer 5

Black box testing

Question 6

Occurs when a tester is provided full details of a system including the source code, diagram and user credentials in order to conduct the test

Answer 6

White box testing

Question 7

Provides control over what the application should do when faced with a run time or syntax error. Programs should use input validation when taking data from users

Answer 7

Structured exception handling

Question 8

Applications verify that information received from a user matches a specific format or range values.

Answer 8

Input Validation

Question 9

Analysis and testing of a program occurs with it being executed and run

Answer 9

Dynamic analysis

Question 10

Injection of randomize data into a software program in an attempt to find a system failures, memory leaks, error handling issues and improper input validation.

Answer 10

Fuzzing

Question 11

Code placed in computer programs to by pass normal authentication and other security mechanism.

Answer 11

Backdoors

Question 12

Method of accessing unauthorized directories by moving through the directory structure on a remote server

Answer 12

Directory traversal

Question 13

Occurs when an attacker is able to execute or run commands on a victim’s computer. When the user is away from computer.

Answer 13

Arbitrary Code Execution

Question 14

Occurs when an attacker is able to execute or run commands on a remote computer

Answer 14

Remote code execution

Question 15

Attack against a vulnerability that is unknown to the original developer or manufacturer

Answer 15

Zero day

Question 16

Occurs when a process stores data outside the memory range allocated by the developer.

Answer 16

Buffer overflow

Question 17

A temporary storage area that a program uses to store data

Answer 17

Buffer

Question 18

Reserved area of memory when the program saves the return address when a function call instruction is received.

Answer 18

Stack

Question 19

Occurs when an attackers fill up the buffer with NOP so that the return address may hit an NOP and continue on until it finds the attacker’s code to run

Answer 19

Smash the stack

Question 20

Series of NOPs is hit by a non malicious program

Answer 20

NOP Slide

Question 21

Method used by programmers to randomly arrange the different address spaces used by a program or process to prevent buffer overflow exploit

Answer 21

Address space layout randomization ASLR

Question 22

Occurs when an attacker embeds malicious scripting commands on a trusted website

Answer 22

Cross-site scripting (xss)

Question 23

Attempts to get data provides by the attacker to be saved on the web server by the victim.

Answer 23

Stored/persistent attack

Question 24

Attempts to have a non persistent effect activated by a victim clicking a link on the site

Answer 24

Reflected

Question 25

Attempts to exploit the victim’s web browser

Answer 25

Document Object Model (DOM) based

Question 26

Occurs when an attacker forces a user to execute actions on a webserver for which they are already authenticated

Answer 26

Cross-Site Request Forgery

Question 27

Attacking consisting of the insertion or injection of an SQL query via input data from the client to a web application

Answer 27

SQL injection

Question 28

Insertion of additional information or code through data input data from the client to a web application

Answer 28

Injection attack

Question 29

Data submitted without encryption or input validation is vulnerable to spoofing, request forgery and injection of arbitrary code

Answer 29

XML vulnerability

Extensible Mark up Language

Question 30

Xml encodes entities that expand to exponential size, consuming memory on the host and potential crashing it.

Answer 30

XML Bomb ( Billion Laugh Attack)

Question 31

An attack that embeds a request for a local resource

Answer 31

XML external entity

Question 32

A software vulnerabilty when the resulting outcome from execution process is directly dependent on the order and timing of certain events and those events fail to execute on the order and timing intended by the developer

Answer 32

Race Conditions

Question 33

A software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing itnpoints to.

Answer 33

Dereferencing

Question 34

The potential vlnerability that occurs when theres a change between when an app checked a resource and when the app used the resource

Answer 34

Time of check to Time of use - TOCTOU

Question 35

Vulnerabilities often arise from the general design of the Software Code

Answer 35

Design Vulnerabilities

Question 36

Any code that is used or invoke outside the main program development process

Answer 36

Insecure Component

E.g
Code reuse
Third Party Library
SDK

Question 37

Any program that does not properly record or log detailed enough information for an analyst to perform their job

Answer 37

Insufficient Logging and Monitoring

Question 38

Any program that uses ineffective credentials or configurations, or one in which defaults have not been changed for security

Answer 38

Weak or Default Configuration

Question 39

Software development is performed in time-boxed or small increments to allow more adaptivity to change

Answer 39

Agile

Question 40

Software development and information technology operations

Answer 40

DevOps