Software and Hardware Development Security Flashcards
What term describes a chip that is built into a computer that stores encryption keys specific to the system that is used for hardware authentication?
A. Trusted foundry
B. TPM
C. HSM
D. SED
Answer:
B. A Trusted Platform Module (TPM) stores encryption keys to be used for hardware authentication. Hardware security models (HSMs) are used to create, manage, and store encryption keys and to offload cryptographic processing. SED stands for self-encrypting drive, and a trusted foundry is a trusted validated secure microelectronics supplier or manufacturer.
During a Fagan code inspection, which process can redirect to the planning stage?
A. Overview
B. Preparation
C. Meeting
D. Rework
Answer:
D. During the rework stage of Fagan inspection, issues may be identified that require the process to return to the planning stage and then proceed back through the remaining stages to re-review the code.
Adam is conducting software testing by reviewing the source code of the application. What type of code testing is Adam conducting?
A. Mutation testing
B. Static code analysis
C. Dynamic code analysis
D. Fuzzing
Answer:
B. Adam is conducting static code analysis by reviewing the source code. Dynamic code analysis requires running the program, and both mutation testing and fuzzing are types of dynamic analysis.
After a major patch is released for the web application that he is responsible for, Sam proceeds to run his web application security scanner against the web application to verify that it is still secure. What is the term for the process Sam is conducting?
A. Code review
B. Regression testing
C. Stress testing
D. Whiffing
Answer:
B. Sam is conducting a regression test, which verifies that changes have not introduced new issues to his application. Code review focuses on the application code, whereas stress testing verifies that the application will perform under load or other stress conditions. Whiffing isn’t a term used in this type of review.
During testing, Tiffany slowly increases the number of connections to an application until it fails. What is she doing?
A. Regression testing
B. Unit testing
C. Stress testing
D. Fagan testing
Answer:
C. Tiffany is stress testing the application. Stress testing intentionally goes beyond the application’s normal limits to see how it responds to extreme loads or other abnormal conditions beyond its normal capacity. Unit testing tests individual components of an application, and regression testing is done to ensure that new versions don’t introduce old bugs. Fagan testing is a formal method of code inspection.
Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns?
A. Using secure session management
B. Enabling logging on the database
C. Performing user input validation
D. Implementing TLS
Answer:
C. Charles should perform user input validation to strip out any SQL code or other unwanted input. Secure session management can help prevent session hijacking, logging may provide useful information for incident investigation, and implementing TLS can help protect network traffic, but only input validation helps with the issue described.
Susan’s team has been writing code for a major project for a year and recently released their third version of the code. During a postimplementation regression test, an issue that was originally seen in version 1 reappeared. What type of tool should Susan implement to help avoid this issue in the future?
A. Stress testing
B. A WAF
C. Pair programming
D. Source control management
Answer:
D. A source control management tool like Subversion or Git can help prevent old code from being added to current versions of an application. Developer practices still matter, but knowing what version of the code you are checking in and out helps! Stress testing would help determine whether the application can handle load, a WAF or web application firewall can protect against attacks, but neither would resolve this issue. Pair programing might detect the problem, but the question specifically asks for a tool, not a process.
Precompiled SQL statements that only require variables to be input are an example of what type of application security control?
A. Parameterized queries
B. Encoding data
C. Input validation
D. Appropriate access controls
Answer:
A. A parameterized query (sometimes called a prepared statement) uses a prebuilt SQL statement to prevent SQL-based attacks. Variables from the application are fed to the query, rather than building a custom query when the application needs data. Encoding data helps to prevent cross-site scripting attacks, as does input validation. Appropriate access controls can prevent access to data that the account or application should not have access to, but they don’t use precompiled SQL statements.
What process checks to ensure that functionality meets customer needs?
A. CNA
B. Stress testing
C. UAT
D. Unit testing
Answer:
C. User acceptance testing (UAT) is the process of testing to ensure that the users of the software are satisfied with its functionality. Stress testing verifies that the application will perform when under high load or other stress, and unit testing validates individual components of the application. CNA is not a term associated with application development.
Matt wants to prevent attackers from capturing data by directly connecting to the hardware communications components of a device he is building. What should he use to make sure that communications between the processor and other chips are not vulnerable?
A. Bus encryption
B. A HSM
C. A TPM module
D. LAMP encryption
Answer:
A. Bus encryption protects data in transit between the processor and other devices. An HSM is used to create, store, and manage cryptographic keys as well as to offload cryptographic processing, and a TPM chip is used to store cryptographic keys. LAMP encryption is made up for this question.
Using TLS to protect application traffic helps satisfy which of the OWASP best practices?
A. Parameterize queries
B. Encode data
C. Validate all inputs
D. Protect data
Answer:
D. TLS satisfies the “protect data” best practice by ensuring that network traffic is secure. Parameterizing queries uses prebuilt SQL, while encoding data removes control characters that could be used for cross-site scripting attacks and other exploits. Validating all inputs requires treating all user input as untrusted.
Kristen wants to implement a code review but has a distributed team that works at various times during the day. She also does not want to create any additional support load for her team with new development environment applications. What type of review process will work best for her needs?
A. Pair programming
B. Pass-around
C. Over-the-shoulder
D. Tool-assisted
Answer:
B. Pass-around reviews normally rely on email to move code between developers. In Kristen’s case, a pass-around review will exactly meet her needs. Pair programming and over-the-shoulder review both require developers to work together, whereas tool-assisted reviews require implementation of a tool to specifically support the review.
What type of attack is typically associated with the strcpy function?
A. Pointer dereferencing
B. A race condition
C. SQL injection
D. Buffer overflow
Answer:
D. strcpy does not include size information for the data it accepts, making it a popular target for buffer overflow attacks.
Kathleen wants to build a public API for a modern service-oriented architecture. What model is likely her best choice?
A. REST
B. SOAP
C. SAML
D. RAD
Answer:
A. RESTful designs are the most common and popular for modern web services because of their flexibility. SOAP remains in use, but is not broadly used for public APIs. SAML is a security assertion markup language and would be useful for making security assertions, not for building a general use SOA. RAD is an application development model.
During a web application test, Ben discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report?
A. Improper error handling
B. Code exposure
C. SQL injection
D. A default configuration issue
Answer:
A. Improper error handling often exposes data to users and possibly attackers that should not be exposed. In this case, knowing what SQL code is used inside the application can provide an attacker with details they can use to conduct further attacks. Code exposure is not one of the vulnerabilities we discuss in this book, and SQL code being exposed does not necessarily mean that SQL injection is possible. Although this could be caused by a default configuration issue, there is nothing in the question to point to that problem.