Chapter 6 Secure Coding

Question 1

Software Development Phases

Answer 1

1. Feasibility - should the effort be conducted?
2. Analysis and requirements definition - what is the desired functionality?
3. Design
4. Development - actual coding of application, may include unit testing
5. Testing and Integration Phase - formal testing, user acceptance test (UAT)
6. Training and Transition Phase - acceptance, installation and deployment
7. Ongoing Operations and Maintenance - patching, updates, modification
8. Disposition/End-of-life

Question 2

Code Deployment Environments

Answer 2

Development - where developers actually work
Testing - testing without impact on production environment, pre production and quality assurance
Staging - transition for code that tested successfully and is waiting to deploy
Production - live system

Question 3

Waterfall (software development model)

Answer 3

Sequential software development, phases to NOT overlap, logically lead to next phase
relatively inflexible, still in use for complex systems
recommended for fixed scope, known timeframe or for stable tech platforms

Question 4

Spiral (software development model)

Answer 4

Linear software development model, but with iterative process that revisits 4 phases for expansion
significant emphasis on risk assessment
1. Identification
2. Design
3. Build
4 Evaluate

5. round 2 requirements
6. update design
7. second build
8. test and reassess risks

Question 5

Agile (software development model)

Answer 5

Iterative and incremental process rather than linear, Agile focuses on creating working software that is flexible and adaptable rather than hard and fast rules with comprehensive documents and contracts.

• Individuals and interactions are more important than processes and tools
• working software is preferable to comprehensive documents
• customer collaboration replaces contract negotiation
• responding to change is key rather than following a plan

Question 6

Continuous Integration v. Continuous Deployment

Answer 6

Cont. Integration is a developmental practice that checks code into a shared repository on a consistent ongoing basis

Cont. Deployment rolls out changes into production automatically as soon as they’ve been tested

Question 7

OWASP secure coding practices

Answer 7

• define security requirements
• leverage security frameworks/libraries
• secure database access
• encode and escape data
• validate all inputs
• implement digital identity
• enforce access control lists
• protect data everywhere
• implement security logging and monitoring
• handle all errors and exceptions

Question 8

API security

Answer 8

Application Programming Interfaces are interfaces between clients and servers or apps and OS that define how the client should ask for information from the server and how the server should respond.

• useful but must be secured
• programs in any language can implement API

Question 9

Code review

Answer 9

Pair Programming - agile technique where one developer writes while one reviews as they write it. Adds cost and quality.
Over the Shoulder - requires the developer who wrote the code to explain it to the other developer.
Pass around Code Reviews - flexible but peers can’t learn about code from the developer
Tool Assisted Code Review - software based code review Atlassians Crucible, Codacy’s static code review, Phabricators Differential Code Review

Formal Code Review is in depth an time consuming, Fagan Inspection is the formal code review product
Manual code review is the process of reading the source code line by line to identify potential vulnerabilities

Question 10

Static Code Analysis

Answer 10

Static Code Analysis can be seen as white box testing where testers have full visibility, focuses on understanding how the program is written and what its intended to do.

Dynamic Code Analysis runs the code while providing input to test the software

Question 11

What is Fuzzing

Answer 11

Fuzz testing sends invalid or random data to an application to test its ability to handle unexpected data.
- This only identifies simple problems

Question 12

Injection Vulnerabilities

Answer 12

Injection allows attackers to supply code to a web application and trick the web server into either executing the code or passing it to another server

Allows an attacker to relay malicious code through a web app to the supporting OS or other system

Question 13

SQL injection

Answer 13

modifying SQL requests attackers provide input into web app, then monitor for the result.
-Blind SQL injection is when an attacker cannot review the results.

best defense is to validate data

Question 14

Blind Content Based v. Blind Timing Based SQL injections

Answer 14

Blind Content Based - attacker sends input to the web app that tests whether the app is interpreting injected code before attempting an attack.

Blind Timing Based - attackers use the amount of time required to process a query as an attack vector. sometimes programmers insert a delay before the next action. If an attacker probes such a system and it returns immediately, its probably not vulnerable.

SQLmap and Metasploit automate blind timing based attacks

Question 15

LDAP and DLL

Answer 15

DLL is a windows library containing code and data.

Question 16

Command Injection

Answer 16

In some cases, app code may reach back to the OS to execute a command. This is especially dangerous because attackers can exploit a flaw in the app and gain direct access to the OS.

Question 17

Session Hijacking

Answer 17

This occurs when an attacker commandeers an existing authenticated session. Usually done using cookies.

Question 18

Session Replay Attack

Answer 18

Replay attacks are network attacks that repeat or delay a valid data transmission. A hacker can steal the users Unique Session ID stored as a cookie, URL or form field and gain authorization.

Question 19

How to protect against cookie theft?

Answer 19

secure cookies, which are never transmitted over unencrypted HTTP connections.

Question 20

what is a NTLM Pass the hash attack?

Answer 20

Replay attack against the OS rather than an app. the attacker begins by gaining access to windows system then harvest stored NTLM password hashes

Question 21

What is insecure direct object reference?

Answer 21

Sometimes apps pull data directly from database. if the app doesn’t validate checks, this attack can occur.

Remember link with student ID on the end of the URL, the user can change the student ID and see data.

Question 22

What is directory traversal?

Answer 22

type of HTTP exploit used to gain access to restricted directories or files

/../../etc/psswrd

Question 23

What is file inclusion?

Answer 23

File inclusion takes directory traversal to the next level, instead of simply retrieving a file from the local OS, file inclusion attacks actually execute the code within a file allowing the attacker to fool the web server into executing arbitrary code.

Question 24

What is privilege escalation?

Answer 24

Shifting from initial access to more advanced privileges such as root access.

Privilege escalation specifically seeks to increase the level of access an attacker has to a target system

Question 25

What is API

Answer 25

Application programming interface is a set of definitions and protocols for building and integrating application software, it specifies how the client and server will communicate.

Question 26

What is cross site scripting?

Answer 26

Type of injection where malicious scripts are injected into otherwise trusted websites. XSS occurs when attackers use a web app to send malicious code to the end user, whose browser has no way to know the script should not be trusted. The script can then access any cookies or session tokens retained within the browser.

This can occur anywhere a webapp uses input from the user in the output without validating or encoding it

Question 27

Reflected (non-persistent) XSS vs. Stored (persistent) XSS

Answer 27

Reflected XSS occurs when apps allow reflected inut (hello, [name])

Stored XSS include forum posts or social media with links posted that contain a payload. There is no specific target.

DOM based XSS hides code in Document Object model, which is not visible when viewing the HTML source.

Question 28

what is XSRF attack?

Answer 28

similar to XSS but exploits trust relationships. XSS exploits trust users have in a website, while XSRF exploits the trust remote sites have in the users system.
Attackers may leave a link in a forum. when the user clicks the link while logged into their bank, a wire transfer from the user to the attacker succeeds. hence cross site.

Question 29

How to prevent XSRF?

Answer 29

use secure tokens and check referring URL only accept own site requests

Question 30

SSRF

Answer 30

Server side request forgery
instead of tricking the users browser into visiting a URL (XSRF), they trick the server into visiting a URL based on user supplied input.
This is possible when web apps accept URLs from user as input then retrieves info from that URL

Wayback Machine is an example, remember wayback machine SSRF

Question 31

Input Validation

Answer 31

White listing - developers describe the exact type of input expected from the user then verifies that the input matches
Black listing - developers try to describe potentially malicious inputs that must be blocked
MUST ensure validation on the server side rather than on the clients browser

Parameter pollution can defeat validation

Question 32

Parameter Pollution

Answer 32

sends web app more than one value for same input

php?account12345&account12345’ OR 1=1;–

Question 33

Web App Firewalls WAF

Answer 33

always have input validation as primary defense against injection attacks
WAFs function similarly to network firewalls but they work at the application layer
WAFs sit in front of a web server and receives all network traffic headed to that server

Question 34

What is the primary defense against injection attacks?

Answer 34

Input Validation

Question 35

Database Normalization

Answer 35

this is a set of design principles database designers should follow

• prevent data inconsistency
• prevent update anomalies
• reduce need for restructuring existing databases
• make the database schema more information

Question 36

What is the purpose of parameterized queries?

Answer 36

to protect applications against injection attacks, also improves database performance

Question 37

Data obfuscation and camouflage techniques

Answer 37

Data minimization - don’t collect/keep unnecessary data
Tokenization - replacing sensitive data with a nonsensitive number that represents that data, and can be used in a database to bring the sensitive data up. Must keep the look up table secure!
Masking - replace personal identifiers with asterisks.
Hashing - uses cryptographic hash to replace sensitive identifiers with irreversible alternative identifier.
Salting - adding random characters to the end of an input before it is hashed. this prevents rainbow table attacks.

Question 38

What is a Software Development Kit?

Answer 38

a collection of software libraries combined with documentation and examples of other resources to help programmers get things going quickly

Question 39

Dead code, code reuse, code repository

Answer 39

Dead code - code in use that nobody is maintaining or responsible for, unknown source code file location
Code reuse - instead of writing code for mundane tasks, developers can locate libraries that contain relevant functions
Code repository - centralized locations for storage/management of application source code

Question 40

What is code signing?

Answer 40

Provides developers a way to confirm the authenticity of their code, it is a cryptographic function to digitally sign code with the developers own private key.

Question 41

What are benefits to Software Diversity?

Answer 41

helps avoid single points of failure
minimizes attack surface as well as potential damage
alternative compiler results in different binary each time

Question 42

Scalability and Elasticity

Answer 42

Scalability is the ability to increase workload of a given infrastructure,

Elasticity is the ability to increase/decrease available resources as workload changes

Question 43

Code Integrity Measurement

Answer 43

uses cryptographic hash functions to verify that the code being released into production matches the code that was previously approved

Question 44

What is the purpose for source code comments?

Answer 44

To document changes, explain workflows, offer details to anyone who has to modify or troubleshoot source code
Can also provide attackers with a roadmap of how code works
Ensure comments remain private

Question 45

Resource exhaustion

Answer 45

When systems consume all available memory, storage, processing, time that is available, which cripples the system

Pointer dereferencing - pointers store an address of another location in memory. if pointer is empty, null value can crash the system or allow bypass of security controls

Question 46

Buffer overflow

Answer 46

attacker manipulates a program into placing more data into an area of memory than is allocated for that programs use
the goal is to overwrite other information with instructions that may be executed by a different process on the system

Question 47

Race Conditions

Answer 47

when the security of a code segment depends on the sequence of events occurring within the system. Time of Check to Time of Use (TOCTOU) is a race condition that occurs when a program checks access permission too far in advance of a resource request.

Question 48

Driver Manipulation - what is shimming vs refactoring?

Answer 48

shimming is wrapping malicious driver outside the legitimate driver (without access to driver source code)

Refactoring is done when attacker has access to the driver source code, and modifies it to include malware.

Device drivers use code signing. Drivers without code signing are likely to be flagged as suspicious by the OS.