2.4 Secure Coding Practices

Question 1

What does output encoding do?

Answer 1

Output encoding replaces the potentially dangerous character with an equivalent string that produces the same result but doesn’t have the risk of manipulating the application.

Question 2

What does HTML encoding do?

Answer 2

Uses ampersand (&) notation to replace dangerous values that appear in an HTML-based web document.

Question 3

URL Encoding

Answer 3

Uses percent sign (%) notation to replace dangerous values that appear in a URL.

Question 4

What is input validation.

Answer 4

It’s the filtering of user-supplied input.

Question 5

What security concerns do user-supplied input raise?

Answer 5

User-supplied input may contain code designed to interact with the database, manipulate the browsers of future visitors to the site, or perform any of a number of other attacks.

Question 6

The Two Appraches to Input Validation

Answer 6

Whitelisting and Blacklisting

Question 7

What does input validation via whitelisting do? And what’s its downside?

Answer 7

Specifies allowable input. Not always practical.

Question 8

What is blacklisting in the context of input validation? What’s it’s main characteristic (pro/con).

Answer 8

Specifies disallowed input. More difficult and less effective than whitelisting.

Question 9

Should input validation be performed on the client or on the server? Why?

Answer 9

On the server.

The user controls the browser, and the user can disable the input validation routine if you validate input on the client side

Question 10

What are parameterized queries?

Answer 10

In a parameterized query, the SQL template is precompiled on the database server.

The client does not send the SQL code to the database server. Instead, the client sends arguments to the server which then inserts those arguments into a pre-compiled query template.

This protects against injection attacks and improves database performance.

Question 11

What’s one way that you should never store a password?

Answer 11

Plaintext

Question 12

What does hashing do?

Answer 12

Uses a cryptographic function to transform the password into a unique value that can’t be reversed.

Question 13

What is salting? What does it protect against?

Answer 13

Adding a random value to passwords prior to hashing.

Against rainbow table attacks.

Question 14

In what form should the passwords be in transit?

Answer 14

Encrypted.

Question 15

What does Transport Layer Security (TLS) do on a high level?

Answer 15

Encrypts web traffic.

Question 16

What does output encoding do?

Answer 16

Replaces dangerous characters with equivalent strings that produce the same result for the end-user but don’t have the risk of maliciously manipulating the application.

Question 17

What does HTML encoding do?

Answer 17

Uses ampersand (&) notation to replace dangerous values that appear in an HTML-based document.

Question 18

What does URL encoding do?

Answer 18

Uses percent sign (%) notation to replace dangerous values that appear in a URL.

Question 19

Should you do output encoding manually? If not what should you do instead?

Answer 19

No. You should use trusted libraries to perform it.

Question 20

Do unpredictable states in software jeopardize application security?

Answer 20

Yes.

Question 21

What does error handling do?

What does it prevent?

Answer 21

It provides the computer with explicit instructions on handling errors.

Prevents unpredictable states.

Question 22

What’s Java’s model for error handling?

Answer 22

Try-Catch

Question 23

What does code signing do?

Answer 23

Helps users determine whether code is legitimate using digital signatures to the software. This provides users with confidence that software comes from a trusted source.

Question 24

What are the two steps of signing code?

Answer 24

1. The developer obtains a digital certificate.

2. The developer creates a digital signature for the code using the private key associated with the certificate.

Question 25

What are the four steps of verifying code signatures?

Answer 25

1. The user downloads the software.
2. The OS uses the certificate’s public key to validate the signature.
3. The OS verifies that the signature’s hash matches the code.
4. The OS verifies that the developer is trusted.

Question 26

What is database normalization?

Answer 26

A set of design principles that database designers should follow when building and modifying databases.

Normalization improves database design and has security advantages.

Question 27

What does database activity monitoring do?

Answer 27

Logs and analyses database requests.

Question 28

What do stored procedures protect against?

Answer 28

SQL injection.

Question 29

What is deidentification?

Answer 29

The process of moving through a data set and removing data that may be individually identifying (names, social security numbers, etc).

Not as secure as it sounds…

Question 30

What is anonymization?

Answer 30

Removing the possibility of identification.

Question 31

What is data obfuscation?

Answer 31

Transforming personally-identifying information into a form where it is no longer possible to tie it to an individual person.

Question 32

What is tokenization?

Answer 32

Replacing sensitive fields with a random identifier, and using a lookup table.

Question 33

What is masking?

Answer 33

Replacing sensitive information with blank values.

Question 34

What protocol may be used to secure passwords in transit to a web application?

Answer 34

Transport Layer Security (TLS)

Question 35

What must a developer who wishes to sign their code have?

Answer 35

Digital Certificate