Secure Software Processes

Question 1

Code analysis is the process of …

Answer 1

inspecting the code for quality and weaknesses that can be exploited. It is primarily accomplished by two means; static and dynamic.

Question 2

The primary advantage that a binary code analyzer has over static code analyzers is that a binary code analyzer can …

Answer 2

detect vulnerabilities and code inefficiencies that have been introduced by the compiler, since it is inspecting the compiled object code, after the compilation process. It also has the ability to look into libraries that are linked during the compilation process.

Question 3

The benefits of performing static code analysis are …

Answer 3

errors and vulnerabilities can be detected early and addressed before the deployment of the software; can be performed in the development and testing environment.

Question 4

Dynamic code analysis is the inspection of …

Answer 4

the code when it is being executed (run as a program).

Question 5

Dynamic code analysis can be performed to ascertain that …

Answer 5

the code is reliably functioning as expected and is not prone to errors or exploitation.

Question 6

Code/Peer Review can be performed manually or using

tools. It is a systematic evaluation of …

Answer 6

the source code with the goal of finding out syntax issues and weaknesses in the code that can impact the performance and security of the software.

Question 7

What is not detected in the code review? Code review can be used to validate …

Answer 7

Semantic issues such as business logic and design flaws are usually not detected in a code review, but a code review can be used to validate the threat model generated in the design phase of the software development project.

Question 8

Injection flaws check for …

Answer 8

code that makes injection attacks possible. E.g. lack of input validation.

Question 9

Non-repudiation Mechanisms in code review should ensure that …

Answer 9

auditing is properly implemented and that the authenticity of the code and the user or system actions are not disputable.

Question 10

Spoofing Attacks in code review check for code that makes spoofing attacks possible. This check should ensure that …

Answer 10

session identifiers are not predictable, passwords are not hard-coded, credentials are not cached and code that allows changes to the impersonation context is not implemented.

Question 11

Errors and Exception Handling in code review must check to make sure that …

Answer 11

errors, when reported, don’t reveal more information than is necessary, and that the software fails securely when errors occur.

Question 12

Cryptographic Strength in a code review that uses non-standard or custom cryptographic algorithms are considered …

Answer 12

weak and must be avoided.

Question 13

Unsafe and Unused Functions and Routines must be …

Answer 13

reviewed to ascertain that deprecated and banned APIs are not used.

Question 14

Reversible Code in code review can be used to …

Answer 14

determine the internal architecture and design, and implementation details of software functionality.

Question 15

For code review, privileged code is the code that violates the … As part of the code review, checks must be performed to ensure that …

Answer 15

principle of least privilege; code that requires administrative rights to execute are explicitly controlled and monitored.

Question 16

In a code review, Maintenance Hooks are intentionally introduced, seemingly innocuous code that is implemented to … These maintenance hooks should not be deployed into the production environment because …

Answer 16

primarily provide for maintenance needs; an attacker could easily take advantage of the maintenance hook and gain back door entry into the system, often circumventing all security protection mechanisms.

Question 17

In a code review, Logic Bombs are serious code security issues as they can be placed in the code and …

Answer 17

go undetected if a code review is not performed. A logic bomb can be triggered to go off to perform some malicious and unintended operation when that logic is met.

Question 18

The integrity of the build environment can be assured by …

Answer 18

Physically securing access to the systems that build code; Using access control lists (ACLs) that prevent access to unauthorized users; Using version control software to assure that the code built is of the right version; Build automation is the process of scripting or automating the tasks that are involved in the build process.