1
Q
Why SW is insecure?
A
- Lack of training
- Lack of funding
- No prioritization of security
- Security as an afterthought (come later)
2
Q
¿Cuáles son las metodologías más conocidas de desarrollo de SW?
A
- Waterfall
- Prototype
- Spiral
- AGILE
3
Q
¿En qué consiste la metodología Waterfall?
A
Phase by phase, good for short projects.
Debido a que puede durar mucho tiempo el desarrollo, los requerimientos también pudieron haber cambiado con el tiempo.
4
Q
¿Cuáles son las fases de la metodología Waterfall?
A
Requirements –> Design –> Implementation –> Testing –> Deployment –> Maintenance
5
Q
¿Cuáles son los “pros” de la metodología “Waterfall”?
A
- Each phase has specific deliverables and a review proccess.
- Best for small projects
- It reinforces “define before design” and “design before code”
6
Q
¿Cuáles son los “cons” de la metodología “Waterfall”?
A
- STATIC IN NATURE
- Adjusting scope during the life cycle can kill a project.
- High amounts of risk and uncertainty
- No working SW is produced until late during the life cycle.
7
Q
¿En qué consiste la metodología de desarrollo “Prototyping”?
A
Evolving model, CIRCULAR IN NATURE.
Initial Requirements –> Design –> Prototyping –> Customer evaluation –> Review & Updation –> Design
8
Q
¿Cuáles son los “pros” de la metodología “Prototyping”?
A
- Users can interact with prototype very quickly and can identify needed changes and refine requirements.
9
Q
¿Cuáles son los “cons” de la metodología “Prototyping”?
A
- There’s a tendency to do a superficial analysis.
10
Q
¿En qué consiste la metodolodía de desarrollo “Spiral”?
A
Takes the steps from the waterfall model and the circular from the prototyping model.
11
Q
¿Cuáles son los “pros” de la metodología “Spiral”?
A
- Good for large mission control projects
- High amount of risk analysis
12
Q
¿Cuáles son los “cons” de la metodología “Spiral”?
A
- Can be costly model to use
- Risk analysis requires highly specific expertise
13
Q
¿Cuáles son los “pros” de la metodología “AGILE”?
A
- Less defect in the final product
- Adaptable to changing requirements
- Iterations provide an immediate feedback
14
Q
¿Cuáles son los “cons” de la metodología “AGILE”?
A
- Lack of documentation
- Hard to have good system design
15
Q
¿Cuáles son las arquitecturas de seguridad mas comúnes?
A
- Distributed Computing
- Service Oriented Architecture
- Rich Internet Application
- Ubiquitous Computing
- Cloud Architecture
16
Q
¿Cuáles son las características del “Distributed Computing”?
A
- Client - Server environment
- Processing on both ends
- Scalability
- Availability
- Maintainability
- Security
17
Q
¿Cómo se consideran a las redes Peer 2 Peer?
A
Se consideran como Distributed Computing
18
Q
¿Qué es una “Service Oriented Architecture”?
A
DE NATURALEZA MODULAR.
SERVICIOS NEUTRALES DE LOS VENDEDORES.
Is an architecture and a vision on how heterogeneous applications should be developed and integrated in the enterprise
19
Q
Menciona algunas amenazas para las Rich Internet Applications:
A
Client Side threats: XSS, CSRF
Server Side threats: Code injection
20
Q
¿Qué es la “Polyinstatiation”?
A
Sinónimo de mentir (LYING)
Multiple instances of information.
21
Q
¿Qué es el “ubiquitous computng”?
A
Computer everywhere.
22
Q
¿Cuál es el objetivo del monitoring?
A
- Validate compliance to regulations and other governance requirements.
- Demonstrate due diligence and due care on the part of the organization towards it’s stakeholders.
- Ensure the CIA aspects of SW.
- Detect insider and external threats that are orchestrated against the organization.
23
Q
El término due dilligence, se refiere a:
A
Due dilligence –> Research
24
Q
El término due care, se refiere a:
A
Due care –> Action
25
Menciona las características de buenas métricas:
- Consistency
- Quantitative
- Objectivity
- Relevance
- Inexpensive
26
¿Cuál es el objetivo de "auditing"?
- Ensure policies are being followed/are effective.
- Make sure that individual user accounts aren't unintentionally being allowed to accumulate rights/permissions.
- Check the accuracy and completeness of transactions that are authorized.
27
Menciona algunos sujetos adversarios de la seguridad de la información:
- Script kiddies
- Hackers
- Elite
28
¿Cuáles son los 10 puntos de OWASP?
1.- Code injection; 2.- Broken authentication and session management; 3.- XSS (Cross Site Scripting); 4.- Insecure Direct Object References; 5.- Security Misconfigurations; 6.- Sensitive Data Exposure; 7.- Missing Functions Level Access Control; 8.- Cross Site Request Forgery (CSRF); 9.- Known Vulnerable Component Usage; 10.- Unvalidated Redirects and Forwards.
29
Punto 1 OWASP "Code injection" refers to:
The attacker's hostile data can trick the interpreter into executing unintended commands or accesing data without proper authorization. MITIGATE --> INPUT VALIDATION
30
Punto 2 OWASP "Broken authentication and Session Management" refers to:
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys or session tokens, or to exploit other implementation flaws to assume other user identities. MITIGATE --> AUTHENTICATE WELL
31
Punto 3 OWASP "XSS (Cross Site Scripting) refers to:
Occur whenever an application takes untrusted data and send into a web browser without proper validation or escaping.
MITIGATE --> INPUT VALIDATION
XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious site.
32
Punto 4 OWASP "Insecure Direct Object References" refers to:
Defined as an unauthorized user or process which can invoke the internal functionality of the software by manipulating parameters and other object values that directly references this functionality.
33
Punto 5 OWASP "Security Minsconfigurations" refers to:
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, DB server and platform. Secure setting should be defined, implemented, and maintained as defaults are often insecure.
MITIGATE --> HARDENING
34
Punto 6 OWASP "Security Data Exposure" refers to:
Many web applications do not properly protect sensitive data, such as credit cards, tax ID's, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes.
35
Punto 7 OWASP "Missing Functions Level Acces Control" refers to:
Most web applications verify function level access rights before making that functionally visible in the UI. However apllications need to perform the same access control checks on the server when each function is accessed.
36
Punto 8 OWASP "Cross Site Request Forgery" refers to:
A CSRF attacks forces a logged-on victim's browser to send a forged HTTP request, including the victim's session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attackers to force the victim's browser to generate request the vulnerable application thinks are legitimate request frotm the victim.
37
Punto 9 OWASP "Known vulnerable Component Usage" refers to:
Components, such as libraries, frameworks, and other SW modules almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defeneses and enable a range of possible attacks and impacts.
38
Punto 10 OWASP "Unvalidated redirects and forwards" refers to:
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages.
39
¿Cómo se mitiga el CSFR?
Implement the SW to use a unique session specific token (called a nonce) that is generated in a random, non-predictable, non-guessable and/or sequential manner. CAPTCHA
40
What's Defensive Coding?
Proactive, secure coding intended to ensure the continuing function the SW under unforeseen circunstances.
41
¿Cuáles son los puntos que conforman el "Defensive Coding"?
- Input Validation
- Sanitization of data
- Output Sanitization
- Error Handling
- Concurrency
- Tokenizing
42
¿A qué se refiere el término "Tokenizing"?
The process of replacing sensitive data with unique identification symbols that still retain the needed information about the data, without compromising it's security.
43
¿Que es una "Sandboxing"?
The security mechanism that prevents SW running on a system from accessing the host operating system.
Creates a separation from the host operating system so that untested, untrusted and unverified code and programs, especially these that are published by third parties can be run.
44
¿A qué se refiere el término anti-tampering?
- What we're downloading is what we receive
- Integrity criteria
- Code signing
45
Pasos del proceso de software seguro:
- Version control
- Code analysis
- Code/ Peer review
46
¿Qué es lo que proporciona el Version Control?
- Correct versions of code is used
- Rollback capabilities are available
- Tracks ownership of code
- Tracks changes to code
47
¿Qué es lo que proporciona el code analysis?
- Inspect code for quality and weaknesses
- Static code analysis
- Dynamic code analysis
48
¿En qué consiste el Static Code Analysis?
involves the inspection of the code without executing the code (a SW)
49
¿En qué sonsiste el Dynamic Code Analysis?
Is the inspection of the code when it's being executed (run as a program)
50
¿A qué se refiere el término "Code Review"?
Systematic evaluation on the source code with the goal of finding out syntax issues and weaknesses in the code that can impact the performance and security of the SW.
51
¿Cuáles son los objetivos del "Change Management"?
- Stability on the environment
- Control changes on the baseline
- Changes must be controlled
52
¿En qué consisten las pruebas del tipo White Box (aka Structural Analysis)?
Full access to:
- Source code
- Design documents
- Use and Misuse cases
- Configuration files
53
¿En qué consisten las pruebas del tipo Black Box (aka Structural Analysis)?
No knowledge of the code:
- Fuzzing
- Scanning
- Penetration testing
54
¿A qué se refiere el término "FUZZING"?
VERIFIES THE EFFECTIVENESS OF INPUT VALIDATION.
Also known as fault injection testing.
Inyectar archivos o datos en el sistema y ver cómo reacciona éste.
Brute force type of testing in which fauts are injected into the SW and the behavior is observed.
55
¿Qué es un escaneo?
Passive means of getting information. Used to:
- Map the environment
- Identify server versions
- Identify patch levels
56
¿Cuáles son los tipos de escaneo que existen?
- Vulnerability Scanning
- Content Scanning: analyzes the actual contents of the document.
- Privacy Scanning: performed to detect violations of privacy policies.
57
¿Qué buscan las pen-test?
Looks to actively exploit a weakness.
58
¿Cuáles son los pasos que siguen las pen-testings?
1. - Reconnaissance (enumeration and Discovery)
2. - Resiliency attack
3. - Removal of evidence
4. - Reporting and Recommendations
59
¿Qué es la etapa de Verificación (SW)?
Does the SW meet the developer's description?. Does the SW satisfy the requirements?
60
¿Qué es la etapa de Validación (SW)?
REAL WORLD, MUNDO REAL PARA EL USUARIO.
| Does the SW solve the problem that is was supposed to solve. Does it meet a real-world need?
61
¿Qué es la etapa de Certificación (SW)?
TECHNICAL
The technical evaluation of the security features of a SW product. Does the product provide the appropiate needs for security in a particular environment?.
62
¿Qué es la etapa de Acreditación (SW)?
Management's acceptance (risk acceptance) of the product and their decision to implement the SW in their environment.
63
¿Qué es la etapa Post-Acceptance (SW)?
Ongoing updates, patches and changes reviewed and applied.
64
¿Cuáles son los modelos de Bases de Datos que existen?
- Hierarchical
- Distributed
- Object-Oriented
- Relational
65
¿Cuáles son las características del modelo Hierarchical?
Stores related information in a tree-like fashion. P.ej. Active directory
66
¿Cuáles son las características del modelo Distributed?
Client-server type of DB located on more than one server distributed in several locations. P. ej. DNS
67
¿Cuáles son las características del modelo Object-Oriented?
Reusable and modular in nature.
| Keeps track of objects and entities that contain both data and action on the data.
68
¿Cuáles son las características del modelo Relational?
A DB in the form of tables (rows, columns) related to each other.
69
¿Qué significa el término Normalization?
The process of removing duplicates and ensuring that each attribute only describes the primary key.
70
¿Qué es una Primary Key?
A unique identifier for each record. Can't be null or empty.
71
¿Qué es la Entity Integrity?
States that the primary key field can't be null.
72
¿Qué es una Foreign Key?
Is the primary Key en otras tablas.
73
¿Qué significa el término cardinalidad?
Is the number of rows in a relation.
74
¿Qué significa el término DB Degree?
Number of columns in the relation.
75
¿Qué es un Schema?
Is the overall structure of the DB. It indicates which tables, what fields, what type or cardinality a DB have.
