Secure Software Development

Question 1

SDLC

Answer 1

Software Development Life Cycle:
An organized process of developing a secure application throughout the life of the project

Waterfall Model
Project Planning > Requirements > Analysis > Design > Coding > Testing > Deployment

Question 2

SDLC Phases

Answer 2

Planning & Analysis
Software/Systems Design
Implementation
Testing
Integration
Deployment
Maintenance

Question 3

Agile

Answer 3

Software development is performed in time-boxed or small increments to allow more adaptivity to change

Question 4

DevOps

Answer 4

Software development and information technology operations

Question 5

SDLC Principles: Defense in Depth

Answer 5

Layering of security controls is more effective and secure than relying on a single control

Question 6

SDLC Principles: Never Trust User Input

Answer 6

Any input that is received from a user should undergo input validation prior to allowing it to be utilized by an application

Question 7

SDLC Principles: Minimize Attack Surface

Answer 7

Reduce the amount of code used by a program, eliminate unneeded functionality, and require authentication prior to running additional plugins

Question 8

SDLC Principles: Create Secure Defaults

Answer 8

Default installations should include secure configurations instead of requiring an administrator or user to add in additional security

Question 9

SDLC Principles: Authenticity & Integrity

Answer 9

Applications should be deployed using code signing to ensure the program is not changed inadvertently or maliciously prior to delivery to an end user

Question 10

SDLC Principles: Fail Securely

Answer 10

Applications should be coded to properly conduct error handling for exceptions in order to fail securely instead of crashing

Question 11

SDLC Principles: Rely on Trusted SDKs

Answer 11

SDKs must come from trusted source to ensure no malicious code is being added

Question 12

Black-box Testing

Answer 12

Occurs when a tester is not provided with any information about the system or program prior to conducting the test

Question 13

White-box Testing

Answer 13

Occurs when a tester is provided full details of a system including the source code, diagrams, and user credentials in order to conduct the test

Question 14

Gray-box Testing

Answer 14

(Combination of Black & White-box)

The tester partially understands the application’s internal working structure

Question 15

Structured Exception Handling (SEH)

Answer 15

Structured Exception Handling:

Provides control over what the application should do when faced with a runtime or syntax error

Question 16

Input Validation

Answer 16

Applications verify that information received from a user matches a specific format or range of values

Question 17

Static Analysis

Answer 17

Source code of an application is reviewed manually or with automatic tools without running the code

Question 18

Dynamic Analysis

Answer 18

Analysis and testing of a program occurs while it is being executed or run

Question 19

Fuzzing

Answer 19

Injection of randomized data into a software program in an attempt to find system failures, memory leaks, error handling issues, and improper input validation

Question 20

Backdoors

Answer 20

Code placed in computer programs to bypass normal authentication and other security mechanisms

Backdoors are a poor coding practice and should not be utilized

Question 21

Directory Traversal

Answer 21

Method of accessing unauthorized directories by moving through the directory structure on a remote server

Question 22

Arbitrary Code Execution

Answer 22

Occurs when an attacker is able to execute or run commands on a victim computer (not remotely)

Question 23

RCE

Answer 23

Remote Code Execution:

Occurs when an attacker is able to execute or run commands on a remote computer

Question 24

Buffer Overflow

Answer 24

Occurs when a process stores data outside the memory range allocated by the developer

Question 25

Buffer

Answer 25

A temporary storage area that a program uses to store data

Over 85% of data breaches were caused by a buffer overflow

Question 26

Stack

Answer 26

Reserved area of memory where the program saves the return address when a function call instruction is received

Question 27

“Smash the Stack”

Answer 27

Occurs when an attacker fills up the buffer with NOP so that the return address may hit a NOP and continue on until it finds the attacker’s code to run

Question 28

Address Space Layout Randomization

Answer 28

Method used by programmers to randomly arrange the different address spaces used by a program or process to prevent buffer overflow exploits

Question 29

XSS (3 Types)

Answer 29

Cross-Site Scripting:
Occurs when an attacker embeds malicious scripting commands on a trusted website

Stored/Persistent
Attempts to get data provided by the attacker to be saved on the web server by the victim
Isn’t just reflected, data is stored in DB/Server then sent to the user from where it’s stored
Injects anyone that views the content (ex: if Youtube allowed JS in comments)

Reflected
Attempts to have a non-persistent effect activated by a victim clicking a link on the site
Input (JS) is reflected back into the response

DOM-based
Attempt to exploit the victim’s web browser
User’s input lands inside a dangerous part of JS code (happens on client-side)

Prevent XSS with output encoding and proper input validation

Question 30

XSRF/CSRF

Answer 30

Cross-Site Request Forgery:
Occurs when an attacker forces a user to execute actions on a web server for which they are already authenticated

One domain is forging a request to another to modify a value

Example: You’re on a website and click a link to an external site, but it deletes your account on the original site

Prevent XSRF with tokens, encryption, XML file scanning, and cookie verification

Question 31

SQL Injection

Answer 31

Attack consisting of the insertion or injection of an SQL query via input data from the client to a web application

SQL injection is prevented through input validation and using least privilege when accessing a database

If you see ` OR 1=1; on the exam, it’s an SQL injection

Question 32

Injection Attack

Answer 32

Insertion of additional information or code through data input from a client to an application

SQL
HTML
XML
LDAP

Most common type is an SQL injection

Question 33

XML Vulnerabilities

Answer 33

XML data submitted without encryption or input validation is vulnerable to spoofing, request forgery, and injection of arbitrary code

Question 34

XML Bomb (Billion Laughs Attack)

Answer 34

XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it

Question 35

XML Eternal Entity (XXE)

Answer 35

An attack that embeds a request for a local resource

To prevent XML vulnerabilities from being exploited, use proper input validation

Question 36

Race Conditions

Answer 36

A software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer

A race condition vulnerability is found where multiple threads are attempting to write a variable or object at the same memory location

Question 37

Race Conditions: Dereferencing

Answer 37

A software vulnerability that occurs when the code attempts to remove the relationship between a pointer and the thing it points to.

Race conditions are difficult to detect and mitigate
Race conditions can also be used against databases and file systems

Question 38

Time of Check to Time of Use (TOCTTOU)

Answer 38

The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource

Question 39

Preventing Race Conditions/TOCTTOU

Answer 39

Develop applications to not process things sequentially if possible

Implement a locking mechanism to provide app with exclusive access

Question 40

Design Vulnerabilities: Insecure Components

Answer 40

Any code that is used or invoked outside the main program development process

Code Reuse
Third-party Library
Software Development Kit (SDK)

Question 41

Design Vulnerabilities: Insufficient Logging/Monitoring

Answer 41

Any program that does not properly record or log detailed enough information for an analyst to perform their job

Logging and monitoring must support your use case and answer who, what, when, where, and how

Question 42

Design Vulnerabilities: Weak of Default Configurations

Answer 42

Any program that uses ineffective credentials or configurations, or one in which the defaults have not be changed for security

Many applications choose to simply run as root or as a local admin
Permissions may be too permissive on files or directories due to weak configurations

Utilize scripted installations and baseline configuration templates to secure applications during installation

Question 43

LDAP Injections

Answer 43

LDAP typically stores authentication info (user/pass)
Attacker makes malformed queries to pull more info than they’re supposed to (or to bypass authentication)
Usually via URLs or input fields

Example:
Normal Query
http://www.CVexample.com/people_search.aspx?name=Sam)(zone=public)

Manipulated Query
http://www.CVexample.com/people_search.aspx?name=Sam)(zone=*)

Question 44

SSL Stripping/HTTP Downgrade

Answer 44

Combines an on-path with a downgrade attack (attacker sits between client/server)

Attacker modifies data between victim & web server

Done via: Proxy server, ARP spoofing, or rogue AP

Question 45

Dead Code

Answer 45

Section of source code of a program which is executed but whose result is never used in any other computation.
Add security vulnerability

Question 46

OWASP

Answer 46

Open Web Application Security Project:
An online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security