Security Operations: Examining Application Security

Question 1

what is input validation?

Answer 1

Input validation is a technique to inspect and verify user data to ensure it meets specified criteria and is safe and appropriate for its intended use in a software application. This helps prevent security vulnerabilities and data errors.

Question 2

What are the two types of input validation?

Answer 2

You should perform input validation as early as possible as data flows from the application to the database. Types of input validation include:

Syntactic: enforces the syntactic structure of fields such as SSNs, current, time format, and date.

Semantic: enforces correctness of the field values, such as a price range or delivery date is within the expected range.

Question 3

What are the application security tools?

Answer 3

Data Type Validators
Secure Cookies
Code signing
Static Analysis

Question 4

What are the key factors of Data Type Validators?

Answer 4

Data type validators:

(example:) Django Validator)

(example:)JSON Schema/XML schema validation

Type conversion restrictions

Question 5

What do you need to consider when you are using secure cookies?

Answer 5

Secure cookies: An HTTP cookie, or secure attribute, that’s transmitted over encrypted connections (HTTPS) only. Potentially enhance web-application security by protecting sensitive data from eavesdropping and tampering during transmission.

Question 6

What is static coding?

Answer 6

Static code analysis: a software testing technique that analyzes a program’s source code of a program without executing the code. Additionally:

Tests are performed using software that allows developers and security professionals to rapidly search for coding issues and security vulnerabilities.

Note: Sometimes, the same developers that are using this testing software are the ones who created it.

This process can assist in adherence to coding standards, and help identify and address potential problems early in the development process, thereby reducing the likelihood of bugs and security flaws.

Question 7

What is Code signing?

Answer 7

Code signing: A security technique or method that involves digitally signed software or code with a unique cryptographic signature. Additionally, it:

Verifies the code’s authenticity and integrity.

Helps users trust that the code has not been tampered with and comes from a legitimate source before executing it.

An example is when the User Account Control (UAC) in Windows-based operating systems detects a software installation, it prompts the user to verify the installation, after Microsoft/Windows Defender SmartScreen screens the software publisher’s code-signing certificate.