Section 11: Managing Application Security

Question 1

Name three types of mobile device connection methods.

Answer 1

1. Cellular
2. Wireless
3. Bluetooth

Question 2

What is an embedded electronic system? Give two examples.

Answer 2

Have software embedded into the hardware; some use SoC

Examples: microwaves, gaming consoles, security cameras, wearable technology, smart TVs, medical devices (like defibrillators), self-driving cars

Question 3

What is the purpose of a SCADA system?

Answer 3

Industrial control systems used in the refining of uranium, oil, gas, or the purification of water.

Question 4

What category of devices are smart TV and wearable technology?

Answer 4

IoT devices.

Question 5

What is home automation?

Answer 5

Where you can control the temperature, lighting, entertainment system, alarm system, and appliances.

Question 6

What is he purpose of SoC?

Answer 6

A low-power integrated chip that integrates all components of a computer or electronic system. Example would be a controller for a defibrillator, i.e. an operating system stored on a small chip.

Question 7

If a process does not suffer buffer overflow but fails within a specified period of time, which causes the process to fail, what method are you using?

Answer 7

The Real Time Operating System (RTOS) processes data as it comes in without any buffer delays. The process will fail if it is not carried out within a certain period of time.

Question 8

What is the most likely way an attacker would gain control of an MFP?

Answer 8

An attacker would most likely gain control of a multifunction printer (MFP) through its network interface.

Question 9

What is the purpose of the security team controlling the HVAC in a data center?

Answer 9

To ensure that the temperature is regulated and the servers remain available. They also know which rooms are occupied based on the use of air conditioning and electricity.

Question 10

Someone at work has suffered a cardiac arrest and the first aid delegate takes out a defibrillator that gives instructions of the steps to take. What had been build into the device to give these instructions?

Answer 10

A SoC, which gives instructions on the steps to take. However, if it detects a pulse, it will send a charge.

Question 11

Give an example of embedded systems that can be used with vehicles?

Answer 11

Self-parking or self-driving.

Question 12

What is a UAV? Give two examples.

Answer 12

Unmanned aerial vehicles (UAVs) are drones or small aircraft that can be sent to areas where manned aircraft cannot go. They can be fitted with a camera to record events or take aerial photographs.

Examples: tracking the spread of forest fire, police surveillance

Question 13

What is the main problem with a race condition when using an application?

Answer 13

A race condition is when two threads of an application access the same data at the same time. Access should be sequential lest it lead to data corruption.

Question 14

What is the perfect way to set up error handling in an IT system?

Answer 14

Grant the user generic information only, but for the log files (accessed by the admin) to include a full description of the error.

Question 15

Explain input validation and name three types of attacks that this could prevent.

Answer 15

Ensures that data is inserted into an application in the correct format. Any data in the incorrect format will be rejected.

Examples of attacks this could prevent:
1. SQL injection
2. Buffer overflow
3. Integer overflow

Question 16

How can you prevent a SQL injection attack other than with input validation?

Answer 16

Stored procedures.

Question 17

What is the purpose of code signing?

Answer 17

Similar to digital signatures, code signing confirms that the code is the authentic original code and that it has not been tampered with.

Question 18

What is the purpose of obfuscation?

Answer 18

Taking code and masking the data, making it obscure so that, if it is stolen, it will not be understood.

XOR and ROT13 could be used for obfuscation. Steganography could be used to hide the code.

Question 19

What is dead code and how should it be treated?

Answer 19

Redundant code that is no longer used but could still introduce errors into the program life cycle. It should be removed.

Question 20

If you are an Android developer, what can you obtain from the internet to help you get an application to market quickly?

Answer 20

Code, using a third-party library from the internet.

Question 21

What is the purpose of a measured boot?

Answer 21

Logs information about the firmware and application and stores this log in the TPM chips. This can be used to check the health status of the host and complete an anti-malware check during the boot process that confirms that the software is trustworthy.

Question 22

What is needed for a secure boot - UEFI or BIOS?

Answer 22

UEFI, which is a modern version of the BIOS.

Question 23

If BitLocker is checking upon boot up that the software has not been tampered with, what is this known as?

Answer 23

Attestation.

Question 24

What is the purpose of an endpoint detection and response solution?

Answer 24

Centralized console that continuously monitors the computer and makes automatic alerts when a threat has been detected. Uses machine learning.

Question 25

Why do we use fingerprinting?

Answer 25

Fingerprinting is the deep analysis of a host, looking at the applications, software version, and the services that are running. Tools such as nmap and netcat can be used for this.

Question 26

What type of firewall can act as an intrusion prevention device, a stateful firewall, and can inspect encrypted SSL and HTTPS packets?

Answer 26

A Next Generation Firewall (NGFW), carries out deep packet filtering.

Question 27

Why is tokenization deemed more secure than encryption?

Answer 27

Tokenization takes sensitive data, like a credit card number, and replaces it with random data so it cannot be reversed. The data is held by a payment provider in a remote location who then replaces the data with a token.

Question 28

What is the purpose of secure cookies?

Answer 28

We can set the secure flag on the website to ensure that cookies are only downloaded when there is a secure HTTPS session.

Question 29

What is the purpose of using HSTS?

Answer 29

HTTP Strict Transport Security (HSTS) ensure that the web browser only accepts secure connections and prevents XSS.

Question 30

When a developer wants to analyze code when it is running, what type of code analyzer will they use?

Answer 30

Dynamic code analysis so that they can use fuzzing to test the code.

Question 31

What is the benefit of using the Docker tool to protect your registry?

Answer 31

Allows you to isolate applications into a separate space called containers. The registry can now be isolated in a separate container, making it more secure.

Question 32

Why would a cybersecurity team change the SSD hard drives in the company’s laptop to an Opal drive?

Answer 32

Opal is a self-encrypting drive where the encryption keys are stored on the hard drive controller and are therefore immune to a cold boot attack and are compatible with all operating systems.

They do not have the vulnerabilities of software-based encryption. As a hardware solution, they outperform software solutions. Only the user and the vendor can decrypt the drive.

Question 33

As part of application development, when would you apply quality assurance?

Answer 33

QA is completed during the staging environment where users test the new application with real data.