Ch3 Flashcards
(20 cards)
What is insecure design in web applications?
Security weaknesses caused by flaws in the application’s architecture and design.
What are common consequences of insecure design?
Vulnerabilities that remain throughout the development process and expose the system to threats.
How can insecure design be mitigated?
Use DevSecOps practices, perform threat modeling, secure communication, and encrypt stored data.
What should not be included in error messages to avoid insecure design?
Server-related sensitive information.
What is security misconfiguration?
Improper settings or missing security measures in any part of the application.
What are examples of security misconfiguration?
Unchanged default accounts, unnecessary features enabled, and poorly configured permissions.
How can security misconfiguration be prevented?
Keep software up-to-date, avoid default settings, scan for misconfigurations, restrict access to unused features.
Why are default usernames and passwords dangerous?
Attackers can easily guess them and gain unauthorized access.
What are vulnerable and outdated components?
Using software components or libraries that are no longer supported or have known vulnerabilities.
What is the risk of using outdated components?
They can become an entry point for attackers to exploit the system.
How can you mitigate the risks of outdated components?
Maintain an inventory of components, update regularly, and patch dependencies.
Why is it important to monitor component versions used in a system?
To ensure all parts of the system have the latest security patches.
What are identification and authentication failures?
Failures in correctly verifying user identity, which may allow unauthorized access.
What are examples of authentication failures?
Allowing brute force, using weak/default passwords, missing session ID controls, no multi-factor authentication.
How can authentication failures be mitigated?
Implement MFA, strong password policies, and monitor login attempts.
What is multi-factor authentication (MFA)?
A security method requiring two or more forms of verification before granting access.
What are security logging and monitoring failures?
Lack of proper logging and alerting which allows attacks to go undetected.
What is the consequence of not logging failed login attempts?
Brute-force or credential-stuffing attacks may go unnoticed.
What are best practices for logging and monitoring?
Log all login attempts, back up logs, use tamper detection, and test alerting systems.
Why should logs be backed up?
To ensure data availability and recovery in case of server failure.
