Software Security Midterm Exam Questions (Practice)
What is exploitability?
The "ability to exploit... can an attacker successfully attack the vulnerability?
During which phase of the code review process does the following take place? 1) Moderator meets with author about rework. 2) Moderator verifies all changes made correctly 3) Author checks in corrected code.
Follow-up
What is Typosquatting?
Typosquatting, also known as URL hijacking, is a type of cyber attack in which an attacker registers a domain name that is similar to a legitimate domain in order to trick users into visiting a fake website.
Does the NVD uses CVE Numbers?
Yes
What is the Fuzz Testing Process?
1) Identify Target System 2) Identify Inputs 3) Generate Fuzzed Data 4) Execute Fuzzed Data 5) Monitor System Behavior 6) Log Defects
What is the code review process?
1) Planning (Author, Moderator) 2) Preparation (Everyone) 3) Meeting (Everyone) 4) Rework (Author) 5) Follow-up (Author, Moderator)
What are 2 differences between the CVE and NVD databases?
1) Purpose and scope: The CVE is a dictionary of common identifiers for publicly known cybersecurity vulnerabilities, while the NVD is a comprehensive database of vulnerabilities, including information about their impact and remediation. The CVE is used to standardize the naming and tracking of vulnerabilities across different organizations, while the NVD provides more detailed information about each vulnerability, including CVSS scores, references, and metadata. 2) Ownership and management: The CVE is managed by the MITRE Corporation, while the NVD is managed by the National Institute of Standards and Technology (NIST), a division of the US Department of Commerce. While the CVE is a separate dictionary that is used by many organizations and security vendors, the NVD is a public database that is maintained by NIST and provides vulnerability information for the US government, industry, and the public. In summary, the CVE and NVD serve different purposes and are managed by different organizations. The CVE provides standard identifiers for vulnerabilities, while the NVD provides comprehensive information about each vulnerability, including impact and remediation details.
What is the difference between a CVE and CWE?
1) Purpose: CVE is a dictionary of unique identifiers for publicly known cybersecurity vulnerabilities, while CWE is a comprehensive list of common software security weaknesses that can lead to vulnerabilities. CVE is used to identify and track known vulnerabilities, while CWE is used to identify and categorize common weaknesses that can lead to vulnerabilities. 2) Level of abstraction: CVE and CWE are also different in terms of their level of abstraction. CVE identifiers are specific to individual vulnerabilities and are assigned to each unique vulnerability, while CWE identifiers are more general and describe common software weaknesses that can be found in many different software systems and components. 3)Ownership and management: CVE is managed by the MITRE Corporation, while CWE is managed by the MITRE Corporation in collaboration with the cybersecurity community. CWE is designed to be used in conjunction with other security standards and frameworks, such as the Common Platform Enumeration (CPE) and the Common Vulnerability Scoring System (CVSS). In summary, CVE is used to identify and track known vulnerabilities, while CWE is used to identify and categorize common software weaknesses that can lead to vulnerabilities. CVE is specific to individual vulnerabilities, while CWE is more general and describes common weaknesses that can be found in many different software systems and components.
What are 2 ways to protect access control (OWASP Top 10 A1)?
1) Role-Based Access Control (RBAC): RBAC is a common access control model that restricts access based on the roles of users in an organization. Each user is assigned a specific role with a set of permissions, and access is restricted based on that role. This approach can help prevent unauthorized access to sensitive data or functionality by limiting access to only those users who need it. 2)Multi-Factor Authentication (MFA): MFA is a security mechanism that requires users to provide multiple forms of authentication before accessing a system or resource. This can include something the user knows, such as a password or PIN, something the user has, such as a physical token or a mobile device, or something the user is, such as a biometric factor like a fingerprint or facial recognition. By requiring multiple forms of authentication, MFA can help prevent unauthorized access to sensitive data or functionality, even if an attacker has obtained the user's password or other authentication credentials.
How many chapters does OWASP ASVS have?
14
What are the advantages and disadvantages of adversarial testing?
Advantages of Adversarial Testing: It identifies security vulnerabilities and other non-functional issues that may not be identified by functional testing. It helps identify edge cases and unexpected behavior, which can be difficult to discover through functional testing alone. It encourages developers to think about how their software might be used maliciously or in unexpected ways. Disadvantages of Adversarial Testing: It can be time-consuming and difficult to implement, as it requires a deep understanding of the software being tested and the ability to think creatively about how it might be misused. It can generate false positives or false negatives if the tests are not well-designed or if the software is changed after the testing has been completed. It can be costly to fix the issues identified by adversarial testing, as they often require significant changes to the software architecture or design.
What are the advantages and disadvantages of Functional Testing?
Advantages of Functional Testing: It verifies that the software meets its functional requirements. It is a systematic approach to testing that can be easily documented and repeated. It can be automated, allowing for efficient testing of large software systems. It can help identify defects early in the software development lifecycle, which can reduce the cost of fixing defects later. Disadvantages of Functional Testing: It may not identify non-functional issues, such as performance or security issues. It assumes that the software is being used as intended, and may not identify issues that occur when the software is used in unexpected ways. It may not identify defects that occur only under specific conditions or in rare scenarios.
What do all test cases have?
All test cases have the following 1.Unique and explanatory identifier (possibly with mapping identifiers) 2.Input into the program or program unit - specified at a level that multiple other people can repeat the test case and all do the same process ... must be repeatable 3.Expected output from the program or program unit 4.Actual results of running the test case
What is Static Analysis Security Testing (SAST)?
Analyzing the source code of the program without analyzing the program in execution. It can be performed manually or with automated tools.
How can attackers use typosquatting to attack the development process?
Attackers can use typosquatting to attack the development process in several ways: Stealing credentials: Attackers can create fake login pages that mimic legitimate ones and trick developers into entering their usernames and passwords. This can give attackers access to sensitive information and allow them to compromise the development process. Delivering malware: Attackers can use typosquatting to host malware on fake sites that are designed to look like legitimate ones. When developers visit these sites, they may unwittingly download malware onto their systems, which can compromise the entire development process. Installing backdoors: Attackers can use typosquatting to create fake download pages that appear to offer legitimate software updates or tools. When developers download and install these fake updates, they may inadvertently install backdoors that allow attackers to gain access to the development environment. Stealing intellectual property: Attackers can use typosquatting to create fake sites that mimic legitimate developer forums or repositories. When developers visit these sites, they may unwittingly disclose sensitive information about their development process or intellectual property.
What is Dynamic Application Security Testing (DAST)?
Black Box Fault injection; Fuzzing; Inject malicious payloads Tests a running application's exposed interfaces looking for vulnerabilities ZAP, WebInspect Systematically and repeatedly simulates attacks through the front end of an [completed and] running application Considered to be "outside in" Considered automated penetration testing J Finds exploitable vulnerabilities J Minimal user interaction required L Does not find the exact location of the vulnerability L Security knowledge is needed to interpret the reports L Testing can be time consuming (can run, literally, forever) L May have false positives (all tools do)
What is the CVE?
CVE stands for Common Vulnerabilities and Exposures. It is a dictionary or list of publicly known cybersecurity vulnerabilities and exposures that are associated with unique identification numbers. CVE is maintained by the MITRE Corporation, which is a not-for-profit organization that operates federally funded research and development centers. The goal of CVE is to provide a standardized naming convention for vulnerabilities, making it easier for organizations and security researchers to identify and track vulnerabilities across different systems and platforms. Each CVE entry includes a unique identifier, a brief description of the vulnerability or exposure, and any relevant references or links to more detailed information. CVE entries are assigned by the CVE Numbering Authority (CNA), which is responsible for ensuring that each vulnerability is uniquely identified and tracked.
What is the CVSS?
CVSS stands for Common Vulnerability Scoring System. It is a standardized framework for assessing and rating the severity of security vulnerabilities. CVSS provides a numerical score that reflects the severity of a vulnerability, based on several factors such as the potential impact on the confidentiality, integrity, and availability of the affected system or data. The score is calculated using a set of metrics that take into account the characteristics of the vulnerability, such as the ease of exploitability, the level of user interaction required, and the availability of patches or workarounds. The CVSS score ranges from 0 to 10, with 10 being the most severe. A high CVSS score indicates that the vulnerability poses a significant risk to the affected system or data and requires urgent attention. A low CVSS score indicates a less severe vulnerability that may still require attention but can be addressed at a later time. CVSS is widely used by security professionals, software vendors, and other organizations as a standard method for rating the severity of security vulnerabilities. It helps organizations prioritize their efforts and resources to address the most critical vulnerabilities first, and to communicate the severity of vulnerabilities to stakeholders in a standardized and consistent way.
Why is it important to check dependencies? What is the difference between direct and indirect dependencies? Is the security impact different?
Checking code dependencies is an important part of software development, as it helps ensure that the software is reliable, secure, and maintainable. Here are some reasons why it's important to check code dependencies: Security: If a dependency contains vulnerabilities, these could be inherited by the software that uses it. By checking dependencies, developers can identify and address any security issues. Compatibility: Dependencies may not be compatible with each other, or with the software that uses them. By checking dependencies, developers can ensure that the software works correctly with all of its dependencies. Maintainability: Dependencies may change or become outdated over time, which can make the software difficult to maintain. By checking dependencies, developers can identify any potential issues before they become problems. Direct dependencies are dependencies that the software explicitly requires to function correctly. For example, a web application may require a specific version of a database driver or a web framework. Indirect dependencies are dependencies that are required by the software's direct dependencies. For example, a web framework may require a specific version of a dependency management tool, which in turn may require other dependencies. The difference between direct and indirect dependencies is that direct dependencies are explicitly listed in the software's code or configuration files, while indirect dependencies are not. Indirect dependencies are often managed automatically by dependency management tools, such as npm or Maven, which track the software's direct dependencies and their own dependencies.
How does the code review process compare with pen testing for securing software?
Code review involves analyzing the code of a software application to identify potential vulnerabilities and ensure that it is secure. The code review process can be done manually or with the help of automated tools, and it can take place throughout the development lifecycle. The benefits of code review include: Finding vulnerabilities early in the development process, which can save time and money by reducing the cost of fixing vulnerabilities later on. Providing developers with feedback on their code, which can help them improve their skills and write better, more secure code in the future. Increasing confidence in the security of the software by identifying and addressing vulnerabilities before the software is released. Penetration testing, on the other hand, involves simulating an attack on a software application to identify vulnerabilities that could be exploited by an attacker. Penetration testing is typically done by an external team of security experts who attempt to break into the software using various techniques. The benefits of penetration testing include: Identifying vulnerabilities that may not have been found during the code review process. Providing a more realistic assessment of the software's security by simulating an actual attack. Helping organizations comply with regulatory requirements by demonstrating that the software has been tested for security vulnerabilities.
What is deserialization and explain why it is important to sanitize/validate inputs?
Deserialization is the process of converting data that has been saved or sent in a specific format back to its original form, so that it can be used by a program. This is often used to process input data that has been submitted through a form or an API. Sanitizing input is important because it helps to ensure that the input data is safe and free of potentially malicious code or data. When input data is submitted by a user, it can be intentionally or unintentionally manipulated or altered in ways that can cause security vulnerabilities in a program. One common attack that exploits input validation vulnerabilities is called an injection attack. In an injection attack, an attacker submits input data that includes malicious code or commands that can be executed by the program. For example, an attacker may submit a SQL query that includes a command to delete or modify data in a database, or they may submit code that can execute remote commands on the server. To prevent these types of attacks, it's important to sanitize input data by validating and cleaning it before using it in a program. This can involve checking the data type and length, removing any special characters or control characters, and applying filters or regular expressions to ensure that the data is in an expected format. In addition to preventing security vulnerabilities, sanitizing input data can also improve the reliability and performance of a program by ensuring that it only processes valid and expected data.
In what order does the prioritization mitigation wheel rotate?
Detection -> Fix time -> Exploitability ->
Why are digital signatures important when installing/updating packages?
Digital signatures are important when installing or updating packages because they help ensure the integrity and authenticity of the software being installed. Digital signatures provide a way to verify that the software has not been tampered with and that it was actually created by the expected developer or organization. When software packages are signed, the signature includes a digital certificate that is issued by a trusted third-party Certificate Authority (CA). The digital certificate contains the public key of the software developer, and it is used to validate the digital signature that is included with the package. When a user installs or updates a package, the operating system or package manager checks the digital signature against the public key contained in the digital certificate. If the signature matches and the digital certificate is trusted, then the package is considered to be legitimate and can be installed or updated. Without digital signatures, an attacker could potentially intercept the software package during transit or modify it before it is installed, inserting malicious code or changing its functionality. Digital signatures prevent this by ensuring that the package has not been tampered with and that it came from the expected developer or organization. In summary, digital signatures are important because they provide a way to verify the authenticity and integrity of software packages, helping to protect users from installing or updating packages that have been tampered with or are not legitimate.
When should you use IAST?
IAST is best suited for use in the following scenarios: Agile and DevOps environments: IAST is designed to integrate with modern software development methodologies, making it well-suited for use in agile and DevOps environments where speed and continuous delivery are important. Applications with complex architectures: IAST is particularly effective at identifying vulnerabilities in complex, multi-tier applications where traditional SAST and DAST techniques may not be as effective. Applications with a large codebase: IAST can help to reduce the time and effort required to identify security vulnerabilities in large codebases by providing more targeted and accurate results. Applications with a low tolerance for false positives: IAST has been shown to produce fewer false positives than traditional SAST and DAST techniques, which can be important in applications where false positives can lead to wasted time and effort. Applications that require high security: IAST can provide a more comprehensive and accurate assessment of an application's security posture, making it well-suited for use in applications that require high levels of security. In summary, IAST is best suited for use in agile and DevOps environments, applications with complex architectures or large codebases, applications with a low tolerance for false positives, and applications that require high levels of security. IAST can help organizations to identify vulnerabilities more quickly and accurately, reduce the risk of security incidents, and improve the overall security posture of their applications.
What is Interactive Application Security Testing (IAST)?
Interactive Application Security Testing (IAST) is a technique for identifying security vulnerabilities in software applications that combines elements of both SAST and DAST. IAST works by instrumenting the application and monitoring its execution to identify vulnerabilities in real-time.
What is the difference between local and global analysis?
Local Analysis: Analysis of an individual function. Global Analysis: Follow control and data flow between functions.
What is the NVD?
NVD stands for the National Vulnerability Database. It is a US government-funded online database that provides comprehensive information on publicly known cybersecurity vulnerabilities and exposures. The NVD is managed by the National Institute of Standards and Technology (NIST), which is a non-regulatory agency of the US Department of Commerce. It is based on the Common Vulnerabilities and Exposures (CVE) system, and includes additional information on each vulnerability such as severity scores, impact metrics, and remediation guidance. The NVD is an important resource for cybersecurity professionals and organizations, as it provides a centralized source of information on vulnerabilities that can be used to identify and prioritize security risks. It is also used by security researchers to stay up-to-date on the latest vulnerabilities and to develop security patches and other mitigation strategies. In addition to the web-based database, the NVD also provides a web service that allows other software tools to automatically query and retrieve vulnerability data from the database. This makes it easier for security professionals to integrate vulnerability information into their existing security workflows and tools.
What is an application of SBOM?
One application of Software Bill of Materials (SBOM) is to improve supply chain security. SBOM provides a comprehensive list of all the components used in a software system, including open source components and their versions, which can be shared with all stakeholders, including customers, vendors, and regulators. By providing an accurate and up-to-date SBOM, software vendors can help customers and other stakeholders identify potential security vulnerabilities and manage their risk. SBOM can also help vendors and their supply chain partners better understand the potential security risks associated with specific components and make more informed decisions about which components to use and how to manage those components over time. Additionally, regulatory agencies such as the US Federal Trade Commission (FTC) and the National Institute of Standards and Technology (NIST) are increasingly requiring SBOM as a part of their compliance requirements, to ensure the security and transparency of the software supply chain.
What are 3 input generation approachses?
Random Fuzzing Mutation Fuzzing- Start with a set of valid inputs and slowly make small modifications. Generation Fuzzing - Understand data formats and application state. Create inputs based on its model of program. Can handle problems like data that has a checksum, which mutation is unlikely to get correct.
What is the WAHH (web app hackers handbook) Pen Testing Methodology?
Recon & Analysis: 1) Map application content 2) Analyze the application Application Logic: 3) Test client-side controls 9) Test for logic flaws Access Handling: 4) Test authentication 5) Test session management 6) Test access controls Input Handling: 7) Fuzz all parameters 8) Test for issues with specific functionality Application Hosting: 10) Test for shared hosting issues 11) Test the web server
During which phase of the code review process does the following take place? 1) Author addresses issues reordered at meeting
Rework
When should you use DAST vs SAST?
SAST is preferred: During the early stages of development to identify security vulnerabilities before they become more expensive and difficult to fix. For scanning large codebases. For detecting security issues related to coding standards and code quality. DAST is preferred: When an application is in production or staging environments. For simulating real-world attack scenarios and identifying vulnerabilities that may be missed by SAST. For detecting security issues related to application configuration, session management, and authentication
What are five ways to attack source/build integrity in the software supply chain?
Software supply chain attacks are becoming more common and sophisticated, and they can be devastating for organizations that rely on third-party software components. One of the key aspects of software supply chain security is ensuring source/build integrity, which means that the code and build artifacts are trustworthy and haven't been tampered with. Here are five ways that attackers can compromise source/build integrity in a software supply chain: Compromised code repositories: Attackers may gain unauthorized access to the code repositories used by software suppliers, such as GitHub or Bitbucket, and inject malicious code into the software components. They can also modify the build scripts to include their own malicious code. Malicious dependencies: Attackers may create or modify legitimate dependencies used by software components to include malicious code. This can be done by submitting fake packages to package managers or by compromising the servers used by legitimate package repositories. Supply chain partner compromise: Attackers may target third-party suppliers or service providers that are part of the software supply chain. For example, an attacker may gain access to a supplier's build system and inject malicious code into the software components. Malware injection: Attackers may use malware or other malicious software to infect the build system or the software components themselves. This can be done through phishing attacks or by exploiting vulnerabilities in the software components. Man-in-the-middle attacks: Attackers may intercept and modify the communications between the software supplier and the customer, such as by modifying the software components during transit. This can be done through techniques such as DNS spoofing or by compromising the network infrastructure.
During which phase of the code review process does the following take place? 1) Reviewers examine inspection package. 2) Reviewers use checklists and analysis tools. 3) Reviewers mark bugs found
Step 2 Preparation
During which phase of the code review process does the following take place? 1) Reader describes code in own words 2) Reviewers comment and ask questions 3) Recorder notes potential bugs/suggestions 4) Team appraises code at meeting conclusion
Step 3 Meeting
1. What are 3 good practices for protecting identity and access management (OWASP Top 10 A7)?
Strong Authentication Mechanisms: Implement strong authentication mechanisms like two-factor authentication, multi-factor authentication, and biometric authentication. This can help to reduce the risk of unauthorized access to sensitive data and systems, even if an attacker has access to login credentials. Principle of Least Privilege: Follow the principle of least privilege, which means granting only the necessary access rights to users or applications, based on their roles and responsibilities. This can help to minimize the potential damage that could be caused by compromised accounts or insider attacks. Regular Review and Monitoring: Regularly review and monitor access rights and permissions to ensure that they are appropriate and up-to-date. This can help to detect and prevent unauthorized access or changes to sensitive data and systems. Additionally, keep an eye on the logs of access attempts, so that any anomalous behavior can be identified and addressed in a timely manner. By following these practices, organizations can better protect their identity and access management, reducing the likelihood of data breaches and other security incidents.
What type of supply chain attack was used in Solarwinds?
The supply chain attack that was used in the SolarWinds breach was a sophisticated and targeted attack that involved the compromise of the company's software development and distribution process. Specifically, the attackers were able to insert a malicious code into a software update package for the SolarWinds Orion network management software, which was then distributed to SolarWinds customers via the company's update system. The malicious code, which was designed to evade detection and blend in with legitimate software code, allowed the attackers to gain unauthorized access to the networks of SolarWinds customers who installed the compromised update. Once inside these networks, the attackers were able to carry out a range of malicious activities, including stealing data, exfiltrating sensitive information, and carrying out additional attacks. The SolarWinds supply chain attack is a notable example of the increasing sophistication and complexity of supply chain attacks, which are becoming more common and pose a significant risk to organizations that rely on third-party software and services. The attack highlights the need for organizations to have robust security measures in place to detect and prevent supply chain attacks, including measures to secure the software development and distribution process, implement secure coding practices, and monitor and analyze network traffic for signs of compromise.
What are the 3 components required for an injection attack (OWASP Top 10)?
The three components required for an injection attack are: Injection vulnerability: The first component is an injection vulnerability, which is a flaw in the web application that allows an attacker to inject malicious code or input. Injection vulnerabilities can occur in different parts of a web application, including user input fields, search boxes, and even HTTP headers. Malicious payload: The second component is a malicious payload, which is the code or input that an attacker injects into the web application. The payload can be a SQL query, a command, or any other type of code that can be executed by the web application. Attacker's intent: The third component is the attacker's intent, which is to exploit the injection vulnerability and achieve their goal, whether it's stealing sensitive information or gaining unauthorized access. The attacker may also use techniques such as obfuscation or encoding to hide the malicious payload from detection.
What is the difference between white, black and gray box testing?
White Box: •Tester knows all information about system. •Including source code, design, requirements. •Most efficient technique. •Avoids security through obscurity. Black Box: •Examines system as an outsider would. •Tester builds understanding of attack surface and system internals during test process. •Can use to evaluate effort required to attack system. •Helps test items that aren't documented Gray Box: •Apply both white box and black box techniques.
What is the difference between the three ASVS levels?
•ASVS Level 1 is for low assurance levels, and is completely penetration testable •ASVS Level 2 is for applications that contain sensitive data, which requires protection and is the recommended level for most apps ASVS Level 3 is for the most critical applications - applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust
What is Adversarial Testing?
•Adversarial Testing •Verifies application's resistance to attack. •Based on risks in software design. Approaches testing with adversarial mindset
What is OWASP ASVS?
•Application Security Verification Standard is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, tool vendors, and consumers •Can be use for defining the functional and non-functional security controls (like encryption, MFA, etc.) required when designing, developing and testing applications and web services.
What is a dumb fuzzer?
•Dumb fuzzers do two things: •Send random data to the program. •Test to see if the program crashed. •This is inefficient: •Most random data won't be accepted, and •Most random data won't trigger failures. •The input space is too big to explore much of it with random data. For example, an application accepting two 64-bit integers x and y, has 264 x 264 = 2128 possible input values to test.
What is Functional Testing?
•Functional Testing •Verifies software features work as intended. •Includes security features, such as authentication and encryption.
What is the difference between functionality and adversarial testing for security?
•Functional Testing •Verifies software features work as intended. •Includes security features, such as authentication and encryption. •Adversarial Testing •Verifies application's resistance to attack. •Based on risks in software design. •Approaches testing with adversarial mindset.
What is Fuzz Testing?
•Fuzz testing is a form of automated software testing, which sends malformed or unexpected data to an application. A fuzzer is a program that performs fuzz testing on a program you want to test. •Fuzzers can be classified in different ways •Dumb vs Smart •Input type: CLI, GUI, Network, File-format •Input generation approach (random, mutation, etc.) •Information: Black box vs white box
What is Log4J OR Log4Shell ?
•Log4Shell (CVE-2021-44228) •Arbitrary code execution (CVSS score of 10.0). •Vulnerable code had existed since 2013. •Affected 17,000 (4% of all) packages at Maven Central, primarily through their dependencies. •Affected AWS, Cloudflare, Minecraft, Steam, etc. •Took a long time to fix all packages •13% of packages fixed in 1 week, but •80% dependencies were indirect, and •Majority were 5 levels down.
What is a smart fuzzer?
•Smart fuzzers understand input formats •Send expected data format •HTML document •PNG image •TLS packet •with randomly modified components •Randomly generated HTML •Random header values like height, width, colors, etc. •Random packet header values •Then check for a crash or error condition. •More efficient but may encode expectations about input format that prevent finding some bugs.
What is the software supply chain?
•The software supply chain consists of all of the code, systems, people, and processes used throughout the software development lifecycle to develop, build, and publish software. •Code you create, its dependencies, and the internal and external software you use to develop, build, package, install, and run your software. •Processes and policies for system access, testing, review, monitoring and feedback, communication, and approval. •Systems you trust to develop, build, store, and run your software and its dependencies.