2C

Question 1

A system or network can be thoroughly protected through various security measures, but all that security can be undone if an unsecure application is installed. ___ ___ is ensuring the integrity of software.

Answer 1

Application security

Question 2

What does SDLC stand for?

Answer 2

Software Development Life Cycle

Question 3

The development process of an application is outlined in…?

Answer 3

SDLC

Question 4

SDLCs are divided into ___. The number and type of ___ depends on which SDLC model is used.

Answer 4

phases

Question 5

What are the common SDLC phases?

Answer 5

1. Requirements Gathering and Analysis
2. Design
3. Implementation
4. Testing
5. Deployment
6. Maintenance

Question 6

The following describes which phase of SDLC?

Before developing an application, developers need to
know the requirements, that is, what the application is supposed to do.

Answer 6

Requirements Gathering and Analysis

Question 7

The following describes which phase of SDLC?

Design the application using the requirements given.

Answer 7

Design

Question 8

The following describes which phase of SDLC?

The application’s code gets written in this phase.

Answer 8

Implementation

Question 9

The following describes which phase of SDLC?

The code must be checked for functionality, that the application does what it’s designed to do. Developers should also input random invalid data into input fields to check for crashes, memory leaks, and other bugs. This process is known as fuzzing.

Answer 9

Testing

Question 10

The following describes which phase of SDLC?

This phase consists of installing the application on the production servers.

Answer 10

Deployment

Question 11

The following describes which phase of SDLC?

The software’s users provide feedback to the developers. Any problems that are reported are fixed.

Answer 11

Maintenance

Question 12

What are the two different types of SDLC models?

Answer 12

1. Waterfall
2. Agile

Question 13

The following describes which type of SDLC model?

In this model, each phase of development must be completed prior to passing on to the following phase. Backtracking is not permitted, because it is considered costly to do so. The phases of the ___ SDLC include requirements gathering, system design, implementation, testing, and maintenance.

Answer 13

Waterfall

Question 14

The following describes which type of SDLC model?

As opposed to the waterfall model, ____ allows backtracking as necessary. With ___, the development project is divided into smaller modules called sprints. Each sprint lasts approximately four weeks, after which the module would be released, and the next sprint would begin. Each sprint contains all the phases of the ____ SDLC (plan, design, build, launch, review, and test)

Answer 14

Agile

Question 15

Best practices dictate that software developers provide ____ ____, ensuring that when data is entered into an application and buttons are pressed, the desired result happens. Ensure that no
possible keyboard characters leave room for manipulation by hackers.

Answer 15

input validation

Question 16

Application ____ reduces security issues on a network by taking measures to prevent them in the first place.

Answer 16

hardening

Question 17

What are some of the most common application vulnerabilities?

Answer 17

1. Peer to Peer File Sharing
2. ActiveX Controls
3. Cookies
4. Scripting
5. Cross Site Scripting

Question 18

The following describes which application vulnerability?

Files such as music, videos and software can be shared online between users using _____ applications, such as BitTorrent. This is a common method of transmitting malicious code.

Answer 18

Peer to Peer File Sharing

Question 19

The following describes which application vulnerability?

Web sites and applications using ___ ___ can manipulate a system, obtaining full system access and potentially exploiting security vulnerabilities. On a Microsoft Internet browser, a user might be prompted to agree to run ___ ___. This practice should be discouraged

Answer 19

ActiveX Controls

Question 20

The following describes which application vulnerability?

Web sites store ___ (small text files) client computers that contain user preferences and logon information on. If the text file is accessed by someone else, they can see the information on it. HTTP traffic is unencrypted and can be intercepted.

Answer 20

Cookies

Question 21

The following describes which application vulnerability?

Recall from Unit 1, Risks, Threats, and Vulnerabilities, that a ___ is a list of commands to be performed by a program or scripting engine. ____ are used to automate processes on a computer and for generating web pages. This creates an application security issue
because ____ can make modifications to a system without user input.

Answer 21

Scripting

Question 22

The following describes which application vulnerability?

_____ (XSS) is a common attack that uses JavaScript to inject malicious code into a web application. XSS can compromise user accounts, activate Trojan horse programs, mislead users into revealing private data, and enable a perpetrator to steal session cookies to impersonate users. In _____ (XSS), remember that hackers can inject malicious code into websites.

Answer 22

Cross-site scripting (XSS)

Question 23

What are the four Application Vulnerability Prevention Techniques?

Answer 23

1. Apply software patches
2. Application configuration baseline
3. Application hardening
4. Cross-site request forgery prevention

Question 24

The following describes which application vulnerability prevention techniques?

In addition to input validation, application security best practices dictate that any software being used should be kept up to date with the most current security patches to remove vulnerabilities. This includes both applications and operating systems.

Answer 24

Apply software patches

Question 25

The following describes which application vulnerability prevention techniques? The software that your network uses should be configured with security in mind. Any options that can be modified to make the application more secure should be done if the necessary functionality is not impeded.

Answer 25

Application configuration baseline

Question 26

The following describes which application vulnerability prevention techniques? Any features of applications that are not necessary should be disabled for users.

Answer 26

Application hardening

Question 27

The following describes which application vulnerability prevention techniques? Websites may contain code that references another web page that take the user’s unexpired cookies for authentication. “Remember Me” should be denied by users in the browser to avoid this. Developers should set cookies to expire quickly.

Answer 27

Cross-site request forgery prevention

Question 28

___ data puts the information in an unreadable format until an authorized person decrypts the data, which places it back to cleartext ( a readable format).

Answer 28

File encryption

Question 29

Files can be encrypted at two levels—either encrypt the file in ___ or encrypt the file while it is in ___ from one location to another.

Answer 29

storage transit

Question 30

The benefit of encrypting the file in storage is that if hackers can get physical access to the system, they can normally bypass the permissions set by the system. If encrypting data in storage, and a hacker somehow circumvents the permissions, you will ensure that the data is ____.

Answer 30

unreadable

Question 31

When encrypting information in transit, you typically encrypt the communications channel between the two systems; that is, all data that runs through the communication channel is encrypted and so is the tunnel it is traveling through. By encrypting the information in transit, you ensure that someone who taps into the communication cannot...?

Answer 31

read the information they have tapped into

Question 32

An ___ detects suspicious activity on a host or a network, logs it, and alerts system or network administrators.

Answer 32

IDS

Question 33

What does IDS stand for?

Answer 33

Intrusion Detection System

Question 34

____ monitor hosts or networks for suspicious activity and take corrective action.

Answer 34

IPS

Question 35

What does IPS stand for?

Answer 35

Intrusion Prevention System

Question 36

IDSs and IPSs can be either host-based (HIDS/HIPS) or ____ (NIDS/NIPS).

Answer 36

network based

Question 37

A host-based intrusion detection system displays notifications within the application (or sends them to a designated email address). You review the notification events to identify any suspicious activity on the system. When looking at the output, review the date and time of the event, the source of the event, and the account that caused the event to occur. Using this information, you can decide whether a configuration change is needed. Host-based intrusion prevention systems actively protect the host by ___ ___.

Answer 37

stopping attacks