Software Development Security

Question 1

Why SW is insecure?

Answer 1

• Lack of training
• Lack of funding
• No prioritization of security
• Security as an afterthought (come later)

Question 2

¿Cuáles son las metodologías más conocidas de desarrollo de SW?

Answer 2

• Waterfall
• Prototype
• Spiral
• AGILE

Question 3

¿En qué consiste la metodología Waterfall?

Answer 3

Phase by phase, good for short projects.

Debido a que puede durar mucho tiempo el desarrollo, los requerimientos también pudieron haber cambiado con el tiempo.

Question 4

¿Cuáles son las fases de la metodología Waterfall?

Answer 4

Requirements –> Design –> Implementation –> Testing –> Deployment –> Maintenance

Question 5

¿Cuáles son los “pros” de la metodología “Waterfall”?

Answer 5

• Each phase has specific deliverables and a review proccess.
• Best for small projects
• It reinforces “define before design” and “design before code”

Question 6

¿Cuáles son los “cons” de la metodología “Waterfall”?

Answer 6

• STATIC IN NATURE
• Adjusting scope during the life cycle can kill a project.
• High amounts of risk and uncertainty
• No working SW is produced until late during the life cycle.

Question 7

¿En qué consiste la metodología de desarrollo “Prototyping”?

Answer 7

Evolving model, CIRCULAR IN NATURE.

Initial Requirements –> Design –> Prototyping –> Customer evaluation –> Review & Updation –> Design

Question 8

¿Cuáles son los “pros” de la metodología “Prototyping”?

Answer 8

• Users can interact with prototype very quickly and can identify needed changes and refine requirements.

Question 9

¿Cuáles son los “cons” de la metodología “Prototyping”?

Answer 9

• There’s a tendency to do a superficial analysis.

Question 10

¿En qué consiste la metodolodía de desarrollo “Spiral”?

Answer 10

Takes the steps from the waterfall model and the circular from the prototyping model.

Question 11

¿Cuáles son los “pros” de la metodología “Spiral”?

Answer 11

• Good for large mission control projects

- High amount of risk analysis

Question 12

¿Cuáles son los “cons” de la metodología “Spiral”?

Answer 12

• Can be costly model to use

- Risk analysis requires highly specific expertise

Question 13

¿Cuáles son los “pros” de la metodología “AGILE”?

Answer 13

• Less defect in the final product
• Adaptable to changing requirements
• Iterations provide an immediate feedback

Question 14

¿Cuáles son los “cons” de la metodología “AGILE”?

Answer 14

• Lack of documentation

- Hard to have good system design

Question 15

¿Cuáles son las arquitecturas de seguridad mas comúnes?

Answer 15

1. • Distributed Computing
2. • Service Oriented Architecture
3. • Rich Internet Application
4. • Ubiquitous Computing
5. • Cloud Architecture

Question 16

¿Cuáles son las características del “Distributed Computing”?

Answer 16

• Client - Server environment
• Processing on both ends
• Scalability
• Availability
• Maintainability
• Security

Question 17

¿Cómo se consideran a las redes Peer 2 Peer?

Answer 17

Se consideran como Distributed Computing

Question 18

¿Qué es una “Service Oriented Architecture”?

Answer 18

DE NATURALEZA MODULAR.
SERVICIOS NEUTRALES DE LOS VENDEDORES.
Is an architecture and a vision on how heterogeneous applications should be developed and integrated in the enterprise

Question 19

Menciona algunas amenazas para las Rich Internet Applications:

Answer 19

Client Side threats: XSS, CSRF

Server Side threats: Code injection

Question 20

¿Qué es la “Polyinstatiation”?

Answer 20

Sinónimo de mentir (LYING)

Multiple instances of information.

Question 21

¿Qué es el “ubiquitous computng”?

Answer 21

Computer everywhere.

Question 22

¿Cuál es el objetivo del monitoring?

Answer 22

• Validate compliance to regulations and other governance requirements.
• Demonstrate due diligence and due care on the part of the organization towards it’s stakeholders.
• Ensure the CIA aspects of SW.
• Detect insider and external threats that are orchestrated against the organization.

Question 23

El término due dilligence, se refiere a:

Answer 23

Due dilligence –> Research

Question 24

El término due care, se refiere a:

Answer 24

Due care –> Action

Question 25

Menciona las características de buenas métricas:

Answer 25

• Consistency
• Quantitative
• Objectivity
• Relevance
• Inexpensive

Question 26

¿Cuál es el objetivo de “auditing”?

Answer 26

• Ensure policies are being followed/are effective.
• Make sure that individual user accounts aren’t unintentionally being allowed to accumulate rights/permissions.
• Check the accuracy and completeness of transactions that are authorized.

Question 27

Menciona algunos sujetos adversarios de la seguridad de la información:

Answer 27

• Script kiddies
• Hackers
• Elite

Question 28

¿Cuáles son los 10 puntos de OWASP?

Answer 28

1.- Code injection; 2.- Broken authentication and session management; 3.- XSS (Cross Site Scripting); 4.- Insecure Direct Object References; 5.- Security Misconfigurations; 6.- Sensitive Data Exposure; 7.- Missing Functions Level Access Control; 8.- Cross Site Request Forgery (CSRF); 9.- Known Vulnerable Component Usage; 10.- Unvalidated Redirects and Forwards.

Question 29

Punto 1 OWASP “Code injection” refers to:

Answer 29

The attacker’s hostile data can trick the interpreter into executing unintended commands or accesing data without proper authorization. MITIGATE –> INPUT VALIDATION

Question 30

Punto 2 OWASP “Broken authentication and Session Management” refers to:

Answer 30

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys or session tokens, or to exploit other implementation flaws to assume other user identities. MITIGATE –> AUTHENTICATE WELL

Question 31

Punto 3 OWASP “XSS (Cross Site Scripting) refers to:

Answer 31

Occur whenever an application takes untrusted data and send into a web browser without proper validation or escaping.
MITIGATE –> INPUT VALIDATION
XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious site.

Question 32

Punto 4 OWASP “Insecure Direct Object References” refers to:

Answer 32

Defined as an unauthorized user or process which can invoke the internal functionality of the software by manipulating parameters and other object values that directly references this functionality.

Question 33

Punto 5 OWASP “Security Minsconfigurations” refers to:

Answer 33

Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, DB server and platform. Secure setting should be defined, implemented, and maintained as defaults are often insecure.
MITIGATE –> HARDENING

Question 34

Punto 6 OWASP “Security Data Exposure” refers to:

Answer 34

Many web applications do not properly protect sensitive data, such as credit cards, tax ID’s, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes.

Question 35

Punto 7 OWASP “Missing Functions Level Acces Control” refers to:

Answer 35

Most web applications verify function level access rights before making that functionally visible in the UI. However apllications need to perform the same access control checks on the server when each function is accessed.

Question 36

Punto 8 OWASP “Cross Site Request Forgery” refers to:

Answer 36

A CSRF attacks forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attackers to force the victim’s browser to generate request the vulnerable application thinks are legitimate request frotm the victim.

Question 37

Punto 9 OWASP “Known vulnerable Component Usage” refers to:

Answer 37

Components, such as libraries, frameworks, and other SW modules almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defeneses and enable a range of possible attacks and impacts.

Question 38

Punto 10 OWASP “Unvalidated redirects and forwards” refers to:

Answer 38

Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages.

Question 39

¿Cómo se mitiga el CSFR?

Answer 39

Implement the SW to use a unique session specific token (called a nonce) that is generated in a random, non-predictable, non-guessable and/or sequential manner. CAPTCHA

Question 40

What’s Defensive Coding?

Answer 40

Proactive, secure coding intended to ensure the continuing function the SW under unforeseen circunstances.

Question 41

¿Cuáles son los puntos que conforman el “Defensive Coding”?

Answer 41

• Input Validation
• Sanitization of data
• Output Sanitization
• Error Handling
• Concurrency
• Tokenizing

Question 42

¿A qué se refiere el término “Tokenizing”?

Answer 42

The process of replacing sensitive data with unique identification symbols that still retain the needed information about the data, without compromising it’s security.

Question 43

¿Que es una “Sandboxing”?

Answer 43

The security mechanism that prevents SW running on a system from accessing the host operating system.
Creates a separation from the host operating system so that untested, untrusted and unverified code and programs, especially these that are published by third parties can be run.

Question 44

¿A qué se refiere el término anti-tampering?

Answer 44

• What we’re downloading is what we receive
• Integrity criteria
• Code signing

Question 45

Pasos del proceso de software seguro:

Answer 45

• Version control
• Code analysis
• Code/ Peer review

Question 46

¿Qué es lo que proporciona el Version Control?

Answer 46

• Correct versions of code is used
• Rollback capabilities are available
• Tracks ownership of code
• Tracks changes to code

Question 47

¿Qué es lo que proporciona el code analysis?

Answer 47

• Inspect code for quality and weaknesses
• Static code analysis
• Dynamic code analysis

Question 48

¿En qué consiste el Static Code Analysis?

Answer 48

involves the inspection of the code without executing the code (a SW)

Question 49

¿En qué sonsiste el Dynamic Code Analysis?

Answer 49

Is the inspection of the code when it’s being executed (run as a program)

Question 50

¿A qué se refiere el término “Code Review”?

Answer 50

Systematic evaluation on the source code with the goal of finding out syntax issues and weaknesses in the code that can impact the performance and security of the SW.

Question 51

¿Cuáles son los objetivos del “Change Management”?

Answer 51

• Stability on the environment
• Control changes on the baseline
• Changes must be controlled

Question 52

¿En qué consisten las pruebas del tipo White Box (aka Structural Analysis)?

Answer 52

Full access to:

• Source code
• Design documents
• Use and Misuse cases
• Configuration files

Question 53

¿En qué consisten las pruebas del tipo Black Box (aka Structural Analysis)?

Answer 53

No knowledge of the code:

• Fuzzing
• Scanning
• Penetration testing

Question 54

¿A qué se refiere el término “FUZZING”?

Answer 54

VERIFIES THE EFFECTIVENESS OF INPUT VALIDATION.
Also known as fault injection testing.
Inyectar archivos o datos en el sistema y ver cómo reacciona éste.
Brute force type of testing in which fauts are injected into the SW and the behavior is observed.

Question 55

¿Qué es un escaneo?

Answer 55

Passive means of getting information. Used to:

• Map the environment
• Identify server versions
• Identify patch levels

Question 56

¿Cuáles son los tipos de escaneo que existen?

Answer 56

• Vulnerability Scanning
• Content Scanning: analyzes the actual contents of the document.
• Privacy Scanning: performed to detect violations of privacy policies.

Question 57

¿Qué buscan las pen-test?

Answer 57

Looks to actively exploit a weakness.

Question 58

¿Cuáles son los pasos que siguen las pen-testings?

Answer 58

1. • Reconnaissance (enumeration and Discovery)
2. • Resiliency attack
3. • Removal of evidence
4. • Reporting and Recommendations

Question 59

¿Qué es la etapa de Verificación (SW)?

Answer 59

Does the SW meet the developer’s description?. Does the SW satisfy the requirements?

Question 60

¿Qué es la etapa de Validación (SW)?

Answer 60

REAL WORLD, MUNDO REAL PARA EL USUARIO.

Does the SW solve the problem that is was supposed to solve. Does it meet a real-world need?

Question 61

¿Qué es la etapa de Certificación (SW)?

Answer 61

TECHNICAL
The technical evaluation of the security features of a SW product. Does the product provide the appropiate needs for security in a particular environment?.

Question 62

¿Qué es la etapa de Acreditación (SW)?

Answer 62

Management’s acceptance (risk acceptance) of the product and their decision to implement the SW in their environment.

Question 63

¿Qué es la etapa Post-Acceptance (SW)?

Answer 63

Ongoing updates, patches and changes reviewed and applied.

Question 64

¿Cuáles son los modelos de Bases de Datos que existen?

Answer 64

• Hierarchical
• Distributed
• Object-Oriented
• Relational

Question 65

¿Cuáles son las características del modelo Hierarchical?

Answer 65

Stores related information in a tree-like fashion. P.ej. Active directory

Question 66

¿Cuáles son las características del modelo Distributed?

Answer 66

Client-server type of DB located on more than one server distributed in several locations. P. ej. DNS

Question 67

¿Cuáles son las características del modelo Object-Oriented?

Answer 67

Reusable and modular in nature.

Keeps track of objects and entities that contain both data and action on the data.

Question 68

¿Cuáles son las características del modelo Relational?

Answer 68

A DB in the form of tables (rows, columns) related to each other.

Question 69

¿Qué significa el término Normalization?

Answer 69

The process of removing duplicates and ensuring that each attribute only describes the primary key.

Question 70

¿Qué es una Primary Key?

Answer 70

A unique identifier for each record. Can’t be null or empty.

Question 71

¿Qué es la Entity Integrity?

Answer 71

States that the primary key field can’t be null.

Question 72

¿Qué es una Foreign Key?

Answer 72

Is the primary Key en otras tablas.

Question 73

¿Qué significa el término cardinalidad?

Answer 73

Is the number of rows in a relation.

Question 74

¿Qué significa el término DB Degree?

Answer 74

Number of columns in the relation.

Question 75

¿Qué es un Schema?

Answer 75

Is the overall structure of the DB. It indicates which tables, what fields, what type or cardinality a DB have.