CompTIA Security+ Cert Prep 2: Secure Code Design and Implementation
How does the CI/CD Pipeline work?
1. Developer Commits Change 2. Build Process is Triggered 3. Build Report is Delivered 4. Tests Run Against Build 5. Tests Report Delivered 6. If Successful, Code is Deployed
What are the 4 Development Environments?
1. Development 2. Test 3. Staging 4. Production
Name 3 ways an attacker might obtain a cookie?
1. Eavesdropping on unencrypted network connections and stealing a copy of the cookie as it is transmitted between the use and the website. 2. Installing malware on the user's browser that retrieves cookies and transmits them back to the attacker. 3. Man-in-the-Middle Attack, where the attacker fool the user into thinking that the attacker is actually the target website and presenting a fake authentication form.
12 Agile Principles?
1. Ensure customer satisfaction via early and continuous delivery of the software. 2. Welcome changing requirements, even late in the development process. 3. Deliver working software frequently. 4. Ensure daily cooperation between developers and business people. 5. Project should be built around motivated individuals who get the support, trust, and environment they need to succeed. 6. Face to face conversations are the most efficient way to convey information inside the development team 7. Progress is measured by having working software. 8. Development should be done at sustainable pace that can be maintained on an ongoing basis. 9. Pay continuous attention to technical excellence and good design. 10. Simplicity 11. The best architectures, requirements, and designs emerge from self organizing teams. 12. Team should reflect on how to become more effective and then implant that behavior at regular intervals.
What are the 6 typical phases in the Waterfall methodology?
1. Gather Requirements 2. Design 3. Implement 4. Test/Validate 5. Deploy 6. Maintain
What are the 4 basic premises of the Manifesto for Agile Software Development?
1. Individuals and interactions are more important than processes and tools. 2. Working software is preferable to comprehensive documentation 3. Customer collaboration replaces contract negotiation 4. Responding to change is key, rather than following a plan.
What are the 6 phases of Fagan Inspection?
1. Planning 2. Overview 3. Preparation 4. Meeting 5. Rework 6. Follow-Up
What are the 8 SDLC Phases?
1. Planning (Feasibility Phase) 2. Requirements (Analysis and Requirements Phase) 3. Design 4. Coding (Development Phase) 5. Testing (Testing and Integrating Phase) 6. Training and Transition 7. Ongoing Operations and Maintenance 8. End of Life Decommissioning (Disposition)
What are the 4 phases which are repeatedly used throughout the development life cycle of the Spiral Model?
1. Requirements Gathering/Identification (Gathering initial business requirements, system requirements, and more detailed requirements) 2. Design (Design, conceptual, architectural, logical, physical, final designs) 3. Build (initially proof of concept then future development releases) 4. Evaluation/Risk analysis
Name some Code Injection attacks.
1. SQL Injections (Blind Content; Blind Timing) 2. LDAP Injection (Lightweight Directory Access Protocol) 3. XML Injection (Extensible Markup Language) 4. DLL Injection (Dynamically Linked Libraries) 5. Cross-Site Scripting - Inserting HTML code written by an attacker into the web pages created by a developer
What are Web Application Firewalls (WAF)?
A WAF sits in front of a web server and receives all network traffic headed to that server. It then scrutinizes the input headed to the application, performing input validation (whitelisting and/or blacklisting) before passing the input to the web server.
What are cookies?
A storage object maintained in the user's browser that holds various variables that may later be accessed by the website that created them. (You can think of a cookie as a small database of information that the website maintains in the user's browser)
What are Directory Traversal attacks?
A web server allows the inclusion of operators that navigate directory paths and filesystem access controls don't properly restrict access to files stored elsewhere on the server.
What are memory pointers?
An area of memory that stores an address of another location in memory.
What is a Blind Content-Based SQL Injection?
An attacker sends input to the web application that tests whether the application is interpreting injected code before attempting to carry out an attack.
What is a Blind Timing-Based SQL Injection?
An attacker sends input to the web application that tests whether the application is interpreting time based code before attempting to carry out an attack.
Which phase gets customer input to determine what the desired functionality is, what the current system or application currently does and what it doesn't do, and what improvements are desired?
Analysis and Requirements Definition Phase (Requirements)
What does API stand for?
Application Programming Interface
What does API stand for?
Application Programming Interfaces
What is Elasticity?
Applications should be able to automatically provision resources to scale when necessary and then automatically deprovision those resources to reduce capacity (and cost) when it is no longer needed.
What is a Command Injection Attack?
Attacker enters commands that may reach back to the operating system to execute that command.
What are File Inclusion attacks?
Attacker fools the web server allowing to execute the code contained in a file. Local File Inclusion attacks seek to execute code stored in a file located elsewhere on the web server. Remote File Inclusion attacks allow the attacker to execute code that is stored on a remote server.
What is the acronym for Cross-Site Request Forgery?
CSRF or XSRF
What is needed to move from one environment to another?
Change Management Processes
What is Input Validation?
Checking if data meets certain criteria before passing it into the program.
What are Code Repositories?
Code Repositories are centralized locations for the storage and management of application source code. The main purpose of a code repository is to store the source files used in software development in a centralized location that allows for secure storage and the coordination of changes among multiple developers. Code repositories also perform version control, allowing the tracking of changes and the rollback of code to earlier version when required.
What is Code Integrity Measurement?
Code integrity measurement uses cryptographic hash functions to verify that the code being released into production matches the code that was previously approved. Any deviation in has values indicates that cod was modified, either intentionally or unintentionally, and requires further investigation prior to release.
What is DevOps?
Combines software development and IT operations with the goal of optimizing the SDLC.
What is CD
Continuous Deployment - Rolls out tested changes into production automatically as soon as they have been tested.
What is CI?
Continuous Integration - a development practice that checks code into a shared repository on a consistent ongoing basis. The goal is to enable the use of automation and scripting to implement automated courses oaf action that result in continuous delivery of code.
What is Cross-Site Scripting (XSS)?
Cross-site scripting (XSS) - Injects scripts into web application server to direct attacks at unsuspecting clients (Cross-site scripting attacks occur when attacker takes advantage of web applications that accept user input without validation and then present back to user) For example: Input that the user enters for Name is not verified instead is automatically added to a code segment that becomes part of an automated response An attacker can use this vulnerability in XSS attack by tricking valid website into feeding malicious script to another user's web browser to execute.
Which phase includes design for functionality, architecture, integration points and techniques, data flows, and business process?
Design Phase
What does DevSecOps describe?
DevSecOps is security built into the DevOps model. It integrates security into the design, development, testing, and operational work done to produce applications and services.
What is Input Whitelisting?
Developer describes the exact type of input that is expected from the user and then verifies that the input matches that specification before passing the input to other processes or servers.
What is Input Blacklisting?
Developers do not try to explicitly describe the acceptable input but instead describe potentially malicious input that must be blocked.
Which environment is used for "builders" to do their work?
Development Environment
Which phase does the actual coding of the application occur?
Development Phase (Coding)
What is Code Signing?
Device manufactures write drivers and then apply digital signatures to them so that the operating system can verify their authenticity.
Which phase occurs when a product or system reaches the end of its life?
Disposition Phase (End of Life Decommissioning)
What is Dynamic Code Analysis?
Dynamic code analysis relies on execution of the code while providing it with input to test the software.
Which phase is where initial investigations into whether the effort should occur are conducted?
Feasibility Phase (Planning)
What type of code review is the Fagan Inspection?
Formal code review (done using a team)
What is Fuzzing?
Fuzz testing or fuzzing involves sending invalid or random data to an application to test its ability to handle unexpected data.
What is Hashing?
Hashing uses a cryptographic hash function to replace sensitive identifiers with an irreversible alternative identifier. Salting the values with a random number prior to hashing them makes these hashed values resistant to a type of attack known as a rainbow table attack.
What are Null Pointer Exceptions?
If a pointer is empty it will contain a null value. If the application tries to de-reference this null pointer it causes Null Pointer Exception. Best case, a null pointer exception causes the program to crash, providing an attacker with access to debugging information that may be used for reconnaissance of the application's security. Worse case, a null pointer exception may allow an attacker to bypass security controls.
What vulnerabilities allow an attacker to supply some type of code to the web application as input and trick the web server into either executing that code or supplying it to another server to execute?
Injection Vulnerabilities
What is the most important tool to help protect against application vulnerabilities?
Input Validation
What is Agile Software Development?
It is a group of software development methods based on iterative and incremental development, where requirements and solutions evolve through collaboration between self-organizing, cross-functional teams.
What is Database Normalization?
It's a set of design principles that database designers should follow when building and modifying databases. Databases that follow these principles are said to be in normal forms, which are numbered in increasing order of the level of principle followed. The simplest normal form is the first normal form (1NF) and more advanced normal forms follow sequentially (2NF, 3NF, etc.) Advantages of implanting the principles include: 1. Prevent data inconsistency 2. Prevent update anomalies 3. Reduce the need for restructuring existing databases 4. Make the database schema more informative
What is Data Minimization?
Limiting the data that is collected and retained, and dispose of it when it is no longer needed.
What are NTLM Pass-the-Hast Attacks?
NTLM Pass-The-Hast Attacks take place against the operating system rather than a web application. The attacker begins by gaining access to a Windows system and then harvests stored NTLM password hashes from that system. They can then attempt to use these hashes to gain user or administrator access to that system or other systems in the same Active Directory domain.
Which phase includes patching, updating, minor modifications, and other work that does not daily support?
Ongoing Operations and Maintenance Phase
What does OWASP stand for?
Open Web Application Security Project
What is Over-the-Shoulder code review?
Over-the-Shoulder uses a pair of developers, it requires the developer who wrote the code to explain the code to the other developer.
What is Pair Programming?
Pair Programming is an Agile software development technique that places two developers at the same workstation. One developer writes code, while the other developer reeves their code as they write it. The developers are expected to change roles frequently, allowing both of them to spend time thinking about the code while t the keyboard.
What is Parameter Pollution?
Parameter Pollution works by sending a web application more than one value for the same input variable. Parameter Pollution attacks depend on defects in web platforms that don't handle multiple copies of the same parameter properly.
What is Pass-Around Code review?
Pass-Around code review is done by sending completed code to reviewers who check the code for issues. (Sometimes known as email pass-around code review)
What are Privilege Escalation attacks?
Privilege Escalation attacks seek to increase the level of access that an attacker has to a target system.
Which environment is the live system where software, patches, and other changes that have been tested and approved are moved?
Production Environment
What is Code Signing?
Provides developers with a way to confirm the authenticity of their code to end users. Developers use a cryptographic function to digitally sign their code with their own private key and then browsers can user the developer's public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals.
What is Tokenization?
Replacing personal identifiers that might directly reveal an individual's identity with a unique identifier using a lookup table.
What is a Request Forgery attack?
Request Forgery attacks exploit trust relationships and attempt to have users unwittingly execute commands against a remote server. They come in two forms Cross-Site Request Forgery and Server-Side Request Forgery
What are Software Development Kits (SDKs)?
SDKs are collections of software libraries combined with documentation, examples, and other resources designed to help programmers get up and running quickly in a development environment.
What is Scalability?
Scalability is the measure to which a system can adapt to a change in demand for resources, without negatively impacting performance.
What are Secure Cookies?
Secure Cookies are never transmitted over unencrypted HTTP connections. Both servers and web browsers understand that they must only be sent over encrypted channels to protect against session replay attacks.
What does SSRF stand for?
Server-Side Request Forgery
What is the name of a malicious driver that is around the outside of a legitimate driver?
Shim
What does SDK stand for?
Software Development Kit
What does SDLC stand for?
Software Development Life Cycle
Which methodology uses the linear development concepts and adds an iterative process that revisits four phases multiple times during the development life cycle?
Spiral Model
Which model puts significant emphasis on risk assessment as part of the SDLC?
Spiral Model
What are Sprints?
Sprints is work typically broken up into short working sessions.
Which environment is for code that has successfully cleared testing and is waiting to be deployed?
Staging Environment
What is Static Code Analysis?
Static code analysis is conducted by reviewing the code for an application. It does not run the program; instead, it focuses on understanding how the program is written and what the code is intended to do.
What is a Session Replay Attack?
Stealing and using a cookie as the badge required to gain access to a website.
What is Stored XSS?
Storing cross-site scripting code on a remote web server.
What is shimming?
Takes a legitimate driver and wraps a malicious driver around the outside of it. The malicious driver receives requests from the operating system and simply passes them onto the legitimate driver so that the device functions normally.
What are Session Hijacking attacks?
Taking over an already authenticated session with a website.
Which environment allows for testing the software without impacting the production environment?
Test Environment
What is a Parameterized Query?
The client does not directly send SQL code to the database server. Instead, the client sends arguments to the server, which then inserts those arguments into a precompiled query template.
What are Code Injection Attacks?
These attacks seek to insert attacker written code into the legitimate code created by a web application developer.
What is Tool-Assisted code reviews?
Tool-Assisted code reviews rely on formal or informal software-based tools to conduct code reviews.
What tools does DevOps use?
Toolchains
Which phase ensures that the end users are trained on the software and that the software has entered general use?
Training and Transition Phase (Testing)
What does UAT stand for? This happens during the Testing and Integration phase.
User Acceptance Testing (UAT)
What is Reflected Input?
Vulnerable website is fed script commands through form fields in such a manner as to trick the site, the input is reflected back to a visitor as if it was original and legitimate content.
What methodology is a sequential model in which each phase is filled by the next phase?
Waterfall
What does WAF stand for?
Web Application Firewall
What are Web Shells?
Web Shells allow the attacker to execute commands on the server and view the results in a browser. This approach provides the attacker with access to the server over commonly used HTTP and HTTPS ports, making their traffic less vulnerable to detection by security tools.
What is an unvalidated redirect?
What an attacker may use to redirect the user to a malicious site.
What is an Insecure Direct Object Reference?
When an application does not perform authorization checks, allowing the user to be permitted to view information that exceeds their authority.
What is Point De-Referencing?
When an application follows the pointer and accesses the memory referenced by the pointer address.
What is a Memory Leak?
When an application requests memory but never releases it back to the OS to use on other applications. Applications can fail to return some or all of the memory it has requested. If the application continues to do this over a long period of time, it can slowly consume all the more available to the system, causing it to crash.
What is Buffer Overflow?
When an attacker manipulates a program into placing more data into an area of memory than was allocated for that program's use. The goal is to overwrite other information in memory with instructions that may be executed by a different process running on the system.
What are Cross-Site Request Forgery Attacks?
XSRF attacks exploit the trust that remote sites have in a user's system to execute commands on the user's behalf. Example: An attacker who wants to steal funds from user accounts right go to an online forum and post a message containing a link. That link actually goes directly into the money transfer site that issues a command to transfer funds to the attacker's account. The attacker then leaves the link posted on the forum and waits for an unsuspecting user to come along and click the link. If the user happens to be logged into the banking site, the transfer succeeds.