Security Plus - Chapter 6

Question 1

Software development Lifecycle (SDLC)

Answer 1

The steps in a model for software development by mapping software creation from an idea to requirements gathering and analysis to design, coding, testing, and rollout. Once in production, it includes user training, maintenance and decommissioning at the end of life.

Question 2

SDLC Phases

Answer 2

Planning
Requirements definition
Design
Coding - Includes Unit testing
Testing - Includes User Acceptance testing
Training and Transition
Operations and Maintenance
Decommissioning

Question 3

SDLC Planning Phase

Answer 3

Initial investigations into whether the effort should occur are conducted.

Question 4

SDLC Requirements Definition Phase

Answer 4

The development team will begin discussions with customers to determine what the desired functionality is, what the current application or system does and doesn’t do, and what improvements are desired.

Question 5

SDLC Design Phase

Answer 5

Determining the design for functionality, architecture, integration points and techniques, dataflows, business processes, and other elements that have design implications.

Question 6

SDLC Testing Phasae

Answer 6

Testing of the systems or applications by internal users, customers and other stakeholders. This phase also includes User Acceptance testing to ensure that the users of the software are satisfied with it’s functionality.

Question 6

SDLC Coding Phase

Answer 6

Perform the actions of coding for the application or system. This could include unit testing which involves testing small sections of the code to ensure it is written properly.

Question 7

SDLC Training and Transition Phase

Answer 7

Ensuring that end users are trained on the software and the software has entered general use. Includes patching, updating, minor modifications, and other daily support work.

Question 8

SDLC Decommissioning

Answer 8

When a system or application reaches the end of its life by obsolescence or a new version of the software is built to replace this version.

Question 9

Network Environments

Answer 9

Development
Testing
Staging
Production

Question 10

Development Environment

Answer 10

Used for development or builders to perform coding and workflow development to limit access to production

Question 11

Testing Environment

Answer 11

Where software and systems are tested can be tested without impacting the Production environment.

Question 12

Staging Environment

Answer 12

A transition environment of code that has successfully cleared testing to be deployed into production.

Question 13

Production Environment

Answer 13

This environment hosts all of the software, patches, and other changes to code that has been approved for use by the clients.

Question 14

DevOps

Answer 14

Combines the software development and IT operations with the goal of optimizing the SDLC.

Question 15

Toolchains

Answer 15

Utilizes processes and applications that assist with coding, building, testing, packaging, releasing, configuring, and monitoring software within DevOps.

Question 16

DevSecOps

Answer 16

Utilizes processes and applications that assist with coding, building, testing, packaging, releasing, configuring, monitoring, threat analysis, communication, providing feedback, and ongoing improvement to software and processes.

Question 17

Continuous Integration

Answer 17

A development practice that consistently (and on an ongoing basis) checks code into a shared repository to enable the use of automation and scripting to implement automated courses of action that result in continuous delivery of code.

Question 18

Continuous Deployment

Answer 18

Rolls out tested changes into production automatically as soon as they have been tested.

Question 19

Continuous Validation

Answer 19

Automated security testing of the code that ensures the code is continually functioning appropriately and no new vulnerabilities are discovered.

Question 20

Open Worldwide Application Security Project (OWASP)

Answer 20

A broad community of developers and security practitioners which hosts many community developed standards, guides, and best practice documents as well as a multitude of open-source tools.

Question 21

OWASP Secure Coding Practices

Answer 21

Define Security Requirements - Implement security throughout the development process.
Leverage Security Framework - Pre-existing security capabilities can make securing applications easier.
Secure Database Access - Prebuild SQL queries to prevent injection and configure database for secure access.
Encode and Escape Data - Remove special characters.
Validate All Inputs - Treat user input as untrusted and filter appropriately.
Implement Digital Identity - Use multi-factor authentication, secure password storage, and session handling.
Enforce Access Controls - Require all requests to go through access control checks, deny by default, and apply the principle of least privilege.
Protect Data Everywhere - Use encryption in transit, and at rest.
Implement Security Logging and Monitoring - This helps detect problems and allows investigation after the fact.
Handle All Errors and Exceptions - Errors should not provide sensitive data, and applications should be tested to ensure that they handle problems gracefully.

Question 22

Application Program Interfaces (API)

Answer 22

Interfaces between clients and servers or applications and operating systems that define how the client should ask for information from the server and how the server will respond.

Question 23

Code Analysis and Testing

Answer 23

It is important to analyze code to understand what the code is doing, how it performs that task, and where flaws may occur in the program. This is performed through static or dynamic code analysis and with testing methods like fuzzing. Once code is deployed, regression testing is performed to ensure the fixes put in place didn’t create new security issues.

Question 24

Static Code Analysis

Answer 24

Known environment testing reviews the code to understand how the program is written and what the code is intended to do.

Question 25

Dynamic Code Analysis

Answer 25

Reviews the code through the execution of the code while providing it with input to test the software.

Question 26

Fuzzing

Answer 26

Involves sending invalid or random data to an application to test its ability to handle unexpected data. The application is monitored to determine if it crashes, fails, or responds in an incorrect manner. Focuses on identifying simple problems with the application.

Question 27

Injection Vulnerabilities

Answer 27

Among the primary mechanisms that attackers use to break through a web application and gain access to systems supporting that application.

Question 28

SQL Injection

Answer 28

Web applications often receive input from users and use it to compose a database query that provides results that are sent back to a user. The attacker sends an unusual looking request to the web server and monitors the results of the request.

Question 29

Blind Content Based SQL Injection

Answer 29

The attacker sends input to the web application that tests whether the application is interpreting injected code, before attempting an attack.

Question 30

Blind Timing Based SQL Injection

Answer 30

When an attacker uses the amount of time it requires to process a query as a channel for retrieving information from a database. Longer delays in returning information usually means there is a possible attack vector available to exploit.

Question 31

Code Injection Attacks

Answer 31

These attacks seek to insert attacker-written code into the legitimate code created by a web application developer. These attacks can be seen through other developer-based code in:
LDAP - Lightweight Directory Access Protocol attack
XML - Extensible Markup Language attack
DLL - Dynamic Linked Library attack
HTML - Cross Site Scripting attack (XSS)

Question 32

Command Injection Attacks

Answer 32

This occurs when an attacker application code that reaches back to the operating system. This provides the attacker the ability to gain the ability to directly manipulate the operating system.

Question 33

Password Authentication Attack

Answer 33

Utilizing a user’s password to access a system without proper permission.
- Conducting social engineering attacks that trick the user into revealing their password, either directly or through a false authentication mechanism
- Eavesdropping on encrypted network traffic
- Obtaining a dump of passwords from previously compromised sites and attempting to utilize that list to attempt access hoping that users have not updated their passwords from the one previously used.
- Conduct a brute-force attack in which they obtain a set of weakly hashed passwords from a target system and then conduct a search to crack those passwords and obtain access.
- Attempt to access a system using generally known user names and passwords that may not have been updated from those default settings.

Question 34

Session Hijacking attacks

Answer 34

An authentication attack that steals an existing authenticated session. If a user authenticated to a website and never successfully logged out or the browser retains the authentication cookie and does not require reauthentication, an attacker may be able to take over the access that was already provided in the previous session.

Question 35

Cookie Stealing and Manipulation

Answer 35

The taking of a user’s cookie from a web session which an attacker then uses to impersonate the user.
- Eavesdropping on an unencrypted network connection and stealing a copy of the cookie as it is transmitted between the user and the website.
- Installing malware on the user’s browser that retrieves cookies and transmits them back to the attacker
- Engaging in an on-path attack, where an attacker fools the user into thinking they are accessing the legitimate website, when it is a fake authentication site created by the attacker. The attacker then obtains the cookie once the user attempts to login to the fake site.

Question 36

Session Replay Attack

Answer 36

Once an attacker has a cookie, they can manipulate the cookie and alter the details sent back to the website or use the cookie as the badge required to gain access to the site.

Question 37

Secure Cookies

Answer 37

Web developers can protect cookies from theft by marking them with the SECURE attribute. These are then never transmitted over an unencrypted HTTP connections.

Question 38

NTLM Pass -The-Hash Attack

Answer 38

A replay attack that takes place against the operating system. The attacker gains access to a Windows system and then harvests stored NTLM password hashes from the system. This will allow attempts to use the hashes to gain user or admin access to that system or other systems in the same Active Directory domain.

Question 39

Unvalidated Redirects

Answer 39

An attacker may use an insecure redirect web site as an attack vector, by placing their website as the next step in the process that the user will be directed to enter their credentials. Validated redirects are the way to avoid allowing attackers to access these redirects.

Question 40

Insecure Direct Object References

Answer 40

When an application is designed to directly retrieve information from a database on an argument provided by the user in either a query string or a POST request and the application does not perform authorization checks. This allows a user to exceed their authority to view information.

Question 41

Directory Traversal Attack

Answer 41

When web servers allow the inclusion of operators that navigate directory paths and file system access controls don’t properly restrict the access to files stored elsewhere on the server.

Question 42

File Inclusion Attack

Answer 42

Retrieves files from the local server and executes the code contained within a file, allowing an attacker to fool the web server into executing arbitrary code.
- Local File Inclusion - Seeks to execute code stored somewhere else on the web server.
- Remote File Inclusion - Allows the attacker to execute code that is stored on a remote server.

Question 43

Web Shell

Answer 43

Allow the attacker to execute commands on the server and view the results in the browser. They allow the attacker to access to the server over http & https ports making the traffic less vulnerable to detection by security tools.

Question 44

Privilege Escalation

Answer 44

Seeks to increase the level of access that an attacker has to a target system. These attacks exploit vulnerabilities that allow the attacker to transform their account from a standard user to a Root or Administrator user account.

Question 45

Cross Site Scripting Attack

Answer 45

Occur when web applications allow an attacker to perform HTML injection inserting their own HTML code into a web page.

Question 46

Reflected Cross Site Scripting Attack

Answer 46

Requesting additional information from a user which causes the user to enter more information than necessary like a username and password, which could then be transmitted to a malicious web link.

Question 47

Stored Cross Site Scripting Attack

Answer 47

Utilizing code stored on a remote web server and executing that code on the target server.

Question 48

Request Forgery Attack

Answer 48

Attacks that exploit trust relationships and attempt to have users unwittingly execute commands against a remote server.
- Cross-site request forgery - Exploit the trust that remote sites have in a user’s system to execute commands on the user’s behalf.
- Server-side request forgery - Attack that exploits a server into visiting a URL based on a user-supplied input.

Question 49

Input Validation

Answer 49

An application security control to verify the data input into a field on a website is the correct type of data. This validation should be performed on the server-side.

Question 50

Allow List

Answer 50

This is an input validation where the developer describes the exact type of input that is expected from a user and then verifies that input matches the specification before passing the input to other processes or systems.

Question 51

Deny Listing

Answer 51

Developers describe types of malicious data that are not permitted to be entered as input and are blocked.

Question 52

Parameter Pollution

Answer 52

An input validation attack that sends a web application more than one value for the same input variable.

Question 52

Web Application Firewalls (WAF)

Answer 52

Firewalls that work at the application layer, in front of a web server, and receives all network traffic headed to that server. It reviews and analyzes the input headed to the application, performing input validation before passing the input to the web server.

Question 53

Parameterized Queries

Answer 53

A protection against injection attacks where the client does not directly send SQL code to the database. The client sends arguments to the server which inserts those arguments into a precompiled query template.
- Stored procedures

Question 54

Sandboxing

Answer 54

The practice of running an application in a controlled or isolated environment to prevent it from interacting negatively with other system resources or applications.

Question 55

Code Signing

Answer 55

Provides developers with a way to confirm the authenticity of their code to end users. This utilizes a cryptographic function to digitally sign their code with their own private key and the browser uses the developers public key to verify the signature and ensure the code is legitimate and not modified by unauthorized individuals.

Question 56

Code Reuse

Answer 56

The practice of utilizing known approved code for additional purposes within an organizations development teams.

Question 57

Software Diversity

Answer 57

Ensuring that areas of the organization’s developers are not reliant on a single piece of code, binary executable file, or compiler. No single point of failure.

Question 58

Code Repositories

Answer 58

Centralized locations for the storage and management of application source code. To store the source files used in software development in a centralized location that allows for secure storage and coordination of changes among multiple developers.

Question 59

Integrity Measurement

Answer 59

Uses cryptographic hash functions to verify the code being released into production matches the code that was previously approved.

Question 60

Application Resilience

Answer 60

Ensuring the application design will be able to be modified by the development team in the face of changing demand.
- Scalability - The application should be designed so that computing resources they require may be incrementally adjusted to support increasing demand.
- Elasticity - Applications should be able to provision resources automatically to scale when necessary and then automatically deprovision those resources to reduce capacity when it is no longer needed.

Question 61

Source Code Comments

Answer 61

Comments placed throughout code that provides documentation of design choices, explains workflow, and offers details crucial to other developers who may be called on to modify or troubleshoot the code.

Question 62

Error Handling

Answer 62

Developers write code that is resilient to unexpected situations that an attacker might create in order to test the boundaries of the code.
They must anticipate unexpected situations and steps or create limitations that can handle these situations securely.

Question 63

Backdoor Vulnerability

Answer 63

Hard-coded maintenance or administrator credentials embedded in the source code.

Question 64

Package Monitoring

Answer 64

Keeping track of third-party libraries and packages used in your organization, understanding what they do, and being aware of any potential vulnerabilities they have. Developers must maintain the most up-to-date and secure versions of these packages.

Question 65

Resource Exhaustion

Answer 65

Systems may consume too much memory, storage, processing time, or other resources available to them, rendering the system unstable, disabled, or crippled for other uses.
- Memory Leaks - If the application requests memory from the operating system, it should return the memory to the OS when no longer needed, but the application fails to return all of the memory back to the OS, over a period of time, it can slowly consume all of the memory causing it to crash.

Question 66

Memory Pointers

Answer 66

An area of memory that stores an address of another location of memory. An issue that may be caused is if the pointer points to an empty file location, an error will be returned. Null Pointer, this may allow an attacker to bypass security controls.

Question 67

Buffer Overflows

Answer 67

An attack performed by manipulating a program into placing more data into an area of memory than is allocated for the program’s use.

Question 68

Memory Injection

Answer 68

Maliciously inserting information into memory with instructions that may be executed by a different process running on the system, which is the cause for buffer overflow.

Question 69

Race Conditions

Answer 69

When the security of a code segment depends upon the sequence of events occurring within the system.

Question 70

Tine-of-Check (TOC)

Answer 70

A race condition when a system verifies access permissions or other security controls.

Question 71

Time-of-Use (TOU)

Answer 71

A race condition when the system accesses the resource or uses the permission that was granted.

Question 72

Target-of-Evaluation (TOE)

Answer 72

A race condition when the particular component, system, or mechanism being evaluated or tested for potential vulnerabilities, such as the system’s method of managing and validating access permissions.

Question 73

Time-of-Check-to-Time-of-Use (TOCTTOU or TOC/TOU)

Answer 73

A race condition that occurs when a program checks access permissions too far ahead of a resource request.

Question 74

Unprotected API’s

Answer 74

May lead to unauthorized use of functions by not using appropriate authentication. API’s should be secured using API keys and accessed only over encrypted channels that protect those credentials from eavesdropping attacks.

Question 75

Security Orchestration, Automation, and Response (SOAR)

Answer 75

A platform that provides opportunities to automate security that cross between multiple systems. Requirements of processes that can be automated are they are repeatable and do not require human interaction.

Question 76

Use Cases of Automation and Scripting

Answer 76

User provisioning - Automated scripts can handle the process of adding, modifying, or removing user access to systems and networks, reducing manual efforts and human error.
Resource provisioning - Scripts can automate the allocation and deallocation of system resources, ensuring optimal performance and reducing the burden on IT staff.
Guard Rails - Automation can be employed to enforce policy controls and prevent violations of security protocols.
Security Groups - Automated processes can manage security group memberships, ensuring users have appropriate permissions.
Ticket Creation - Automation can streamline the ticketing process, enabling immediate creation and routing of issues to the right teams.
Escalation - For major incidents, scripts can automate the escalation process, alerting key personnel quickly.
Enabling/Disabling services and access - Automation can be used to turn services or access on or off based on certain triggers or conditions.
Continuous Integration Testing - Scripts can automate the build and test process, ensuring faster and more reliable software delivery.
Integrations and APIs - Automated processes can handle data exchange between different software applications through APIs, enhancing interoperability.

Question 77

Benefits of Automation and Scripting

Answer 77

• Achieving efficiency and time savings
• Enforcing baselines
• Standardizing infrastructure configurations
• Scaling in a secure manner
• Retaining employees
• Reducing reaction time
• Serving as a workforce multiplier

Question 78

Challenges of Automation and Scripting

Answer 78

• Complexity
• Cost - Upfront costs, which may dissipate over time
• Single Point of Failure
• Technical Debt - Scripts may become outdated or inefficient
• Ongoing Supportability - Maintaining and updating scripts may be difficult