Mod 4

Question 1

What does it mean to say, “security is an emergent property”?

Answer 1

That it must be designed into the system from the beginning

Question 2

Are security tests similar to functional tests?

Answer 2

No. Security tests exists to break things, not repair

Question 3

Can security testing be done for the whole system?

Answer 3

No, risk assesment must be performed to determine what is worth protecting.

Question 4

Define attack pattern

Answer 4

Common set of methods to attack systems in a more abstract form.
(The method used to do an attack)

Question 5

Define attack surface

Answer 5

“Where” the external user has access to the system

Question 6

What software life cycle level are bugs found?

Answer 6

Implementation

Question 7

What software life cycle level are flaws found?

Answer 7

Design

Question 8

What are the 3 tasks of a Security Software Engineer?

Answer 8

Create security test plans using static analysis tools
Performing security tests
Performing penetration tests

Question 9

Where in the software development lifecycle do security testing, penetration testing, and security operations take place?

Answer 9

Between the Testing and Maintenance phases

Question 10

What’s the most efficient type of standard software testing?

Answer 10

Whitebox

Question 11

How does security testing differ from penetration testing?

Answer 11

It’s whitebox (meaning source code is available)
Uses risk analysis to build tests
Measures security against risk model

Question 12

Define penetration testing

Answer 12

Testing software in deployed environment by attacking it

Question 13

Define fuzz testing

Answer 13

A testing methodology in which well formed inputs are randomly changed and used for testing

Question 14

When is fuzz testing useful?

Answer 14

When there is no obvious way to divide your input into equivalence classes.

Question 15

If no faults are found during a penetration test, does that mean there are not faults in the system?

Answer 15

Not necessarily. It just means there were no faults under the specific conditions of that test.

Question 16

What are the 4 macro steps of penetration testing?

Answer 16

Plan
Discover
Attack
Report

Question 17

What are the 5 micro steps of penetration testing?

Answer 17

Target acquisition
Inventory
Probe
Penetrate
Host-based assessment

Question 18

When does vulnerability scanning come into penetration testing?

Answer 18

Micro steps 1-3, though most would just say step 3

Question 19

What are the 4 categories of penetration tests?

Answer 19

Network
Host
Distributed apps
Local apps

Question 20

What are the tools used in network penetration testing? (3)

Answer 20

nmap,
ncat,
wireshark

Question 21

Define static analysis

Answer 21

analyzing the code without running it

Question 22

What’s the most common tool for static analysis?

Answer 22

compilers

Question 23

Is it good to use different compilers for static analysis?

Answer 23

Yes because different compilers can give different messages.

Question 24

What types of errors are NOT detected by compilers?

Answer 24

syntax

Question 25

Name 3 types of analysis

Answer 25

Manual code analysis Static code analysis Dynamic code analysis

Question 26

What type of review involves reviewer(s) walking through each line of code?

Answer 26

Manual code analysis

Question 27

What type of review is conducted without executing the code?

Answer 27

Static code analysis

Question 28

What type of review is conducted while the code is executing?

Answer 28

Dynamic code analysis

Question 29

What are advantages of static code analysis?

Answer 29

doesn't require executing code, sound to describe program properties, easily integrated into SDL, able to find most bugs, faster than manual code analysis

Question 30

What are disadvantages of static code analysis?

Answer 30

not precise enough to describe program properties, high amount of false positives, humans are needed to verify results, cannot be entirely automatic

Question 31

What are advantages of manual code analysis?

Answer 31

can outperform automated analysis tools if done correctly, low amount of false positives

Question 32

What are disadvantages of manual code analysis?

Answer 32

time consuming, typically requires an expert

Question 33

What are advantages of dynamic code analysis?

Answer 33

no false positives, it finds security vulnerabilities

Question 34

What are disadvantages of dynamic code analysis?

Answer 34

code must be able to compile (so you have to build the whole thing), may cause harm to the system being tested

Question 35

Define false negative in terms of analysis

Answer 35

program contains bugs that the tool/process misses

Question 36

Define false positive in terms of analysis

Answer 36

tool/process reports bugs that aren't there

Question 37

Which is more dangerous, false negative or false positive?

Answer 37

false negative. it leads to a false sense of security

Question 38

A tool is sound if...

Answer 38

it produces no false negatives.

Question 39

A tool is unsound if...

Answer 39

it tries to reduce false positives by letting false negatives slip by.

Question 40

Define secure code review

Answer 40

a specialized task with the goal of finding different types of security weaknesses

Question 41

What are the 5 types of peer reviews?

Answer 41

Formal, Over the shoulder, Email pass around, Pair programming, Tool assisted

Question 42

What's the best way to find bugs?

Answer 42

Code reviews

Question 43

List 4 benefits of code reviews

Answer 43

find defects sooner, find defects with less effort than testing, find different defects than testing, educate devs about security bugs

Question 44

List the 4 steps of the secure code review process

Answer 44

Developer interview, Static analysis tools, Manual inspection, Findings report

Question 45

What's the purpose of the developer interview?

Answer 45

to meet with a dev and try to get an understanding of what the code is trying to do

Question 46

What's the purpose of the findings report?

Answer 46

to document the findings and present them to the development team

Question 47

Vulnerabiltiy severity has a rating scale of...

Answer 47

no risk, low risk, moderate risk, risky, very risky, most risky

Question 48

What are the 8 classifications of coding errors?

Answer 48

1. Input Validation and Representation 2. API Abuse: 3. Security Features: 4. Time and State: 5. Error Handling 6. Code Quality 7. Encapsulation 8. Environment

Question 49

Define buffer overflow

Answer 49

app attempts to write beyond the memory space allocated for data

Question 50

Define unvalidated input

Answer 50

user input is not checked to make sure it conforms to the data type the system can handle

Question 51

Define race conditions

Answer 51

the execution order of two different progams may change the output of some variable

Question 52

What's a CWE?

Answer 52

A common weakness enumeration. A specification providing a common language for discussing, finding, and mitigating security vulnerabilities.

Question 53

What's a CVE?

Answer 53

Common Vulnerabilities and Exposure A list of security vulnerabilities and exposures that aim to provide common names for publicaly known problems.

Question 54

What's CAPEC?

Answer 54

Common Attack Pattern Enumeration and Classification Publicly available, community developed list of common attack patterns.

Question 55

When using off the shelf (OTS) software, you only have to validate the functionality you use. (T/F)

Answer 55

True

Question 56

What type of software does NOT require security validation?

Answer 56

Programming tools

Question 57

(T/F) Security is easy to add to a product after all other features are programmed.

Answer 57

False

Question 58

(T/F) Penetration testing should find all vulnerabilities.

Answer 58

False

Question 59

List methods of static analysis, and 1 that's not.

Answer 59

Pair programming, Compiler flags, Desk checking Using a debugger

Question 60

(T/F) Static analysis can use compiled code or source code.

Answer 60

True

Question 61

(T/F) Code vulnerabilities do not depend on the programming language you use; they are universal.

Answer 61

False

Question 62

(T/F) Secure code review findings can be tracked in an issue tracker without the need to write reports to senior management or auditors.

Answer 62

False