Chapter 6

Question 1

Software Development Life Cycle (SDLC)

Answer 1

The steps in a model for software development throughout its life. The process of designing, creating, supporting, and maintaining that software.

Question 2

Software Development Phases

Answer 2

It can differ and order may vary but generally this is the order.

1. Planning Phase
2. Requirements Definition Phase
3. Design Phase
4. Coding Phase
5. Testing Phase
6. Training and Transition Phase
7. Operations and Maintenance Phase
8. Decommissioning Phase

Question 3

Planning Phase

Software Development Phases (SDLC)

Answer 3

Where initial investigations into whether the effort should occur are conducted.

Question 4

Requirements Definition Phase

Answer 4

Customer input is sought to determine what the desired functionality is, what the current system or application currently does and doesn’t do, and what improvements are desired.

Question 5

Design Phase

SDLC

Answer 5

Where security considerations are integrated into the planning and architecture of systems, applications, or networks. This proactive approach aims to minimize vulnerabilities before they are introduced during development.

Question 6

Coding Phase

Answer 6

Write and compile the actual source code based on the design. Unit testing, the testing of small components individually to ensure they function properly, may occur in this phase.

Question 7

Testing Phase

Answer 7

Formal testing with customers or others outside of the development team. Perform various types of tests (Unit, integration, system, user acceptance testing).

Question 8

Training and Transition Phase

Answer 8

Ensuring that the end users are trained on the software and that the software has entered general use. (This phase may also be called: The acceptance, installation, and deployment phase.

Question 9

Operations and Maintenance Phase

Answer 9

The longest phase. This phase includes patching, updating, minor modifications, and other work that goes into daily support.

Question 10

Decommissioning Phase

Answer 10

When a product or system reaches the end of its life. Data migration or archiving, system shutdown, security assessments, documentation updates, and post decommission review all occur in this final phase.

Question 11

Code Deployment Environments

Answer 11

There are many environments used but these are the most common:

• Development Environment
• Test Environment
• Staging Environment
• Production Environment

Question 12

Development Environment

Answer 12

Typically used for developers or other “builders” to do their work.

Question 13

Test Environment

Answer 13

This is where the software or systems can be tested without impacting the production environment.

Question 14

Staging Environment

Answer 14

A transition environment for code that has successfully cleared testing and is waiting to be deployed into production.

Question 15

Production Environment

“Code Deployment Environment”

Answer 15

The live system. Software, patches, and other changes that have been tested and approved move to production.

Question 16

DevOps

Answer 16

Seeks to resolve issues of software development, quality assurance, and technology operations by bringing the three functions together in a single operational model. The word DevOps is a combination of development and operations, symbolizing that these functions must merge and cooperate to meet business requirements.

Question 17

DevSecOps

Answer 17

DevOps model that includes security as a core component.

Question 18

CI/CD pipeline

Answer 18

Automates the software release process.

Question 19

Continuous integration (CI)

Answer 19

A development practice that checks code into a shared repository on a consistent, ongoing basis.

Question 20

Continuous deployment (CD)

Answer 20

Sometimes called continuous delivery; it rolls out tested changes into production automatically as soon as they have been tested.

Question 21

Continuous validation

Answer 21

Closely linked to Continuous Integration (CI) and Continuous Deployment (CD). It helps developers automatically test and verify new code before it is merged into the main system.

Question 22

Continuous monitoring

Answer 22

A monitoring practice that uses automation to facilitate 24/7 monitoring of systems and networks.

Question 23

Open Worldwide Application Security Project (OWASP)

Answer 23

The home of a broad community of developers and security practitioners, and it hosts many community- developed standards, guides, and best practice documents, as well as a multitude of open source tools.

Question 24

Application Programming Interfaces (APIs)

Answer 24

Interfaces between clients and servers or applications and operating systems that define how the client should ask for information from the server and how the server will respond.

APIs allow application developers to interact directly with a web service through function calls.

Question 25

Fuzzing (Fuzz Testing)

Answer 25

Involves sending invalid or random data to an application to test its ability to handle unexpected data. The app is monitored to see if it crashes, fails, or reacts in an incorrect manner.

Question 26

Injection Vulnerabilities

Answer 26

These vulnerabilities allow an attacker to supply some type of code to the web application as input and trick the web server into either executing that code or supplying it to another server to execute.

Question 27

What is a SQL injection attack? (SQLi)

Answer 27

A hacking technique where malicious SQL code is inserted into input fields to exploit database vulnerabilities, giving attackers unauthorized access to sensitive data like passwords or credit card information.

Question 28

Blind SQL Injection

Answer 28

Technique used to conduct an attack even when they don't have the ability to view the results directly. There are two forms of blind SQL injection: content-based and timing-based.

Question 29

Content-Based blind SQL injection Attack

Answer 29

The perpetrator sends input to the web application that tests whether the application is interpreting injected code before attempting to carry out an attack.

Question 30

Blind Timing-Based SQL Injection Attack

Answer 30

The attacker uses SQL commands that cause delays in the application's response. By measuring the time it takes for the application to respond, they can infer whether their query was successful.

Question 31

Code Injection Attacks

Answer 31

These attack seek to insert attacker-written code into the legitimate code created by a web application developer.

Question 32

Session Hijacking

Answer 32

An attack that occurs when a malicious individual intercepts part of a communication between an authorized user and a resource and then uses a hijacking technique to take over the session and assume the identity of the authorized user.

Question 33

Cookie

Answer 33

A storage object maintained in the user's browser that holds variables that may later be accessed by the website that created them.

Question 34

On-Path Attack

Answer 34

The attacker fools the user into thinking that the attacker is actually the target website and presenting a fake authentication form.

Question 35

Session Replay

Answer 35

Once an attacker has a cookie, they may perform cookie manipulation to alter the details sent back to the website or simply use the cookie as the badge required to gain access to the site.

Question 36

Secure cookies

Answer 36

A cookie that is marked with the SECURE attribute to protect against cookie theft. These are never transmitted over unencrypted HTTP connections.

Question 37

NTLM pass-the-hash attack

Answer 37

Another form of replay attack that takes place against a Windows system and then harvests stored NTLM password hashes from that system.

Question 38

Insecure Direct Object Reference (IDOR)

Answer 38

When a web app/API lets users see or use things like files, database entries, or user IDs without checking if they actually have permission.

Question 39

Directory Traversal

Answer 39

Also known as Path Traversal, is a type of vulnerability that allows attackers to access files and directories outside the intended scope of a web application. This happens when the application fails to properly validate user input, enabling attackers to manipulate file paths and gain unauthorized access to sensitive data.

Question 40

File Inclusion Attacks

Answer 40

They execute the code contained within a file, allowing attackers to fool the web server into executing arbitrary code.

Question 41

Local File Inclusion Attacks

Answer 41

Seek to execute code stored in a file elsewhere on the web server.

Question 42

Remote File Inclusion Attacks

Answer 42

They allow the attacker to go a step further and execute code that is stored on a remote server. They do not have to have a file stored on the local server.

Question 43

Web Shell

Answer 43

Malicious scripts uploaded to a web server to give attackers unauthorized access and control. They are often written in server-supported languages like PHP or Python. Once active, webshells let attackers execute commands, steal sensitive data, or manipulate files.

Question 44

Privilege Escalation Attacks

Answer 44

Seek to increase the level of access that an attacker has to a target system.

Question 45

Application Program Interface (API)

Answer 45

A set of rules and tools that allows different software systems to communicate with each other. Think of it as a bridge that connects two programs, enabling them to share data or functionality.

Question 46

Cross-Site Scripting (XSS)

Answer 46

These occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page.

Question 47

Request Forgery Attacks

Answer 47

Exploit trust relationships and attempt to have users unwittingly execute commands against a remote server.

Question 48

Cross-Site Request Forgery (CSRF/XSRF)

Answer 48

Similar to XSS attacks but exploit a different trust relationship. XSRF Attacks exploit the trust that remote sites have in a user's system to execute commands on the user's behalf.

Question 49

Server-Side Request Forgery (SSRF)

Answer 49

Exploit a similar vulnerability but instead of tricking a user's browser into visiting a URL, they trick a server into visiting a URL, based on user-supplied input.

Question 50

Input Validation

Answer 50

The process of checking and ensuring that any data or information received, especially from users over the internet, is correct, safe, and suitable before using it.

Question 51

Allow Listing

Answer 51

The developer describes the exact type of input that is expected from user and then verifies that the input matches the specification before passing the input to other processes or servers. EX (Python): age = int(input("age: ") if age > 125 or if age < 0: print("Input is invalid, must enter a number between 0-125")

Question 52

Deny Listing

Answer 52

A security practice where specific items, users, or inputs are blocked because they are known to be harmful, suspicious, or unacceptable. Developers describe potentially malicious input that must be blocked.

Question 53

Parameter Pollution

Answer 53

It works by sending a web application more than one value for the same input variable.

Question 54

Web Application Firewalls (WAFs)

Answer 54

A security tool designed to protect web applications by filtering, monitoring, and blocking HTTP traffic between a web application and the internet. It acts as a shield to defend against common web-based threats.

Question 55

Parameterized Queries

Answer 55

Instead of directly embedding user input into SQL statements, parameterized queries use placeholders for input values. This approach prevents SQL injection attacks, where malicious input could alter the structure of a query.

Question 56

Sandboxing

Answer 56

The practice of running an application in a controlled or isolated environment to prevent it from interacting negatively with other system resources or applications.

Question 57

Code Signing

Answer 57

Provides developers with a way to confirm the authenticity of their code to end users.

Question 58

Dead Code

Answer 58

Where code is in use in an organization but nobody is responsible for the maintenance of that code and, in fact, nobody may even know where the original source files reside.

Question 59

Scalability ## Footnote "Application Resilience"

Answer 59

This says that applications should be designed so that computing resources they require may be incrementally added to support increasing demand.

Question 60

Elasticity ## Footnote "Application Resilience"

Answer 60

This says that applications should be able to provision resources automatically to scale when necessary and then automatically deprovision those resources to reduce capacity (and cost) when it is no longer needed.

Question 61

Package Monitoring

Answer 61

This involves keeping track of all the third party libraries or packages used in your organization, understanding what they do, and being aware of any potential vulnerabilities they may have.

Question 62

Memory leaks

Answer 62

Occurs when a computer program fails to release memory that is no longer needed, causing the system to gradually run out of available memory. This can lead to performance issues, such as slower response times, increased memory usage, or even application crashes.

Question 63

Memory Pointers

Answer 63

An area of memory that stores an address of another location in memory.

Question 64

Pointer Derefrencing

Answer 64

The process of accessing the value stored at the memory location that a pointer points to. In programming languages like C and C++, pointers are variables that store memory addresses. Dereferencing allows you to interact with the actual data at that address.

Question 65

Buffer Overflow Attacks ## Footnote memory injection

Answer 65

Occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for the program's use.

Question 66

Memory Injection

Answer 66

A technique where malicious code is injected directly into a program's runtime memory. This allows attackers to manipulate the program's behavior or gain unauthorized access to sensitive data and system resources.

Question 67

Integer Overflow

Answer 67

A variant of buffer overflow where the result of an arithmetic operation attempts to store an integer that is too large to fit in the specified buffer.

Question 68

Race Conditions

Answer 68

Occur when the security of a code segment depends upon the sequence of events occurring within a system.

Question 69

Time-of-Check (TOC) ## Footnote Race Conditions

Answer 69

The instance when a system verifies access permissions or other security controls.

Question 70

Time-of-Use (TOU) ## Footnote Race Conditions

Answer 70

The moment when the system accesses the resource or uses the permission that was granted.

Question 71

Target of Evaluation (TOE) ## Footnote Race Conditions

Answer 71

Refers to the particular component, system, or mechanism being evaluated or tested for potential vulnerabilities, such as the system's method of managing and validating access permissions.

Question 72

Security Orchestration, Automation, and Response (SOAR)

Answer 72

Refers to a set of tools and services designed to improve the efficiency and effectiveness of cybersecurity operations. It integrates various security tools, automates repetitive tasks, and streamlines incident response workflows.

Question 73

User Provisioning ## Footnote Use Cases of Automation and Scripting

Answer 73

Automated scripts can handle the process of adding, modifying, or removing user access to systems and networks, reducing manual efforts and human error.

Question 74

Resource Provisioning ## Footnote Use Cases of Automation and Scripting

Answer 74

Scripts can automate the allocation and deallocation of system resources, ensuring optimal performance and reducing the burden on IT staff.

Question 75

Guard Rails ## Footnote Use Cases of Automation and Scripting

Answer 75

Automation can be employed to enforce policy controls and prevent violations of security protocols.

Question 76

Security Groups ## Footnote Use Cases of Automation and Scripting

Answer 76

Automated processes that can manage security group memberships, ensuring users have appropriate permissions.

Question 77

Ticket Creation ## Footnote Use Cases of Automation and Scripting

Answer 77

Automation can streamline the ticketing process, enabling immediate creation and routing of issues to the right teams.

Question 78

Escalation ## Footnote Use Cases of Automation and Scripting

Answer 78

In case of a major incident, scripts can automate the escalation process, alerting key personnel quickly.

Question 79

Enabling/Disabling services and access ## Footnote Use Cases of Automation and Scripting

Answer 79

Scripts can automate the build and test process, ensuring faster and more reliable software delivery.

Question 80

Integrations and APIs ## Footnote Use Cases of Automation and Scripting

Answer 80

Automated process can handle data exchange between different software applications through APIs, enhancing interoperability.

Question 81

Benefits of Automation and Scripting

Answer 81

-Achieving efficiency and time savings -Enforcing baslines -Standardizing infrastructure configurations - Scaling in a secure manner - Retaining Employees - Reducing Reaction Time - Serving as a workforce multiplier