Chapter 11: Managing Application Security

Stored Procedures (Page. 338)

A SQL injection attack manipulates a SQL statement and then ends it by inserting 1=1. Instead of writing Transact-SQL statements, we can have the SQL script prewritten and saved in a stored procedure (for example, ABC). This prevents manipulation of the statement. We then insert ABC into the Transact-SQL, thereby preventing alteration. This is similar to what happens with a batch file. Another method of detecting a SQL Injection is checking for an apostrophe in a data field.

Host Intrusion Detection System (HIDS) (Page. 337)

A ____ by its very nature, is a passive device that monitors patterns in the behavior of a computer system. The ____ uses a database that contains the settings for the computer, including the registry, critical system files, applications, and components. Its function is to alert the user to any discrepancies or attacks.

Code Signing (Page. 341)

A ____ certificate is procured that allows you to digitally sign scripts and executable to verify their authenticity and to confirm that they are genuine.

Stored Procedures (Page. 359)

A ____ is a pre-written SQL script that might as you for a list of all the customers who have purchased items costing over $1,000 in the last 7 days. When this is written, it is saved as a stored procedure called ABC>. When I run the ABC _____, it will give me all of the information I require, and an attacker won't be able to modify the script inside.

Host Intrusion Prevention System (HIPS) (Page. 337)

A ____ is a software program that can be installed on a host to protect it against attack. It analyzes the behavior of a computer and looks for any suspicious behavior in log files and memory and takes the appropriate action to prevent attacks such as malware.

Pointer/Object Deference (Page. 358)

A ____ is a variable that references another object. This information is located in an address in memory. If you have a variable of 'abc' that has the address of the variable/object 'xyz' as its value, then 'abc' is said to point to 'xyz'. ____ is where you access the object directly from the address in memory.

Block List/Deny List (Page. 341)

A ____ prevents explicitly blocked applications from being set up by using a blacklist to prevent banned to prevent banned applications from running. Firewalls such as pf-sense can have a _____.

Host-Based Firewall (Page. 338)

A _____ can be used to prevent unauthorized access to the desktop and can set up permitted rules for approved applications.

Hashing (Page. 339)

A database contains a huge amount of and we use ____ to index and fetch items from a database. This makes the search faster as the ____ kkey is shorter than the data. The ____ function maps out all of the data to where the actual records are held.

Version Control (Page. 358)

All applications that are written use ____ so that the newer and older versions of the software can be identified. The latest ____ are more secure compared to the older _____ that may not be supported by the vendor, leaving them vulnerable to attack. As updates are created, the ____ numbers increase, letting you know if you have the latest patches.

Embedded System (Page. 345)

An ____ has its own software built into the device hardware. Some are programmable and some are not. _____ are found in consumer products used for health monitoring, automotive, medical, and household products.

Software-Developer Kits (SDKs) (Page. 361)

An ____ is a set of software development tools that a vendor creates to make a application development easier.

System on a Chip (SoC) (Page. 348)

An ____ is an integrated circuit on a microchip that connects the functionality of a computer on a small microchip. Life support devices use _____.

Next-Generation Firewall (NGFW) (Page. 337)

An ____ is more than a traditional ______. It can act as a Stateful _____ by carrying out deep packet filtering. It can also inspect application traffic to ensure that it is legitimate and use whitelisting to ensure that only approved applications are allowed to run. It can also act as an intrusion prevention device protecting against an attack, and it can inspect encrypted SSL and HTTPS packets.

Hardware Security Module (HSM) (Page. 345)

An ____ is similar to TPM chips, except that it is removable. The Key Escrow uses an _____ to store and manage private keys, but smaller ones can be used for computers.

Allow List (Page. 341)

An ____ only allows explicitly allowed applications to run. This can be done by setting up an application whitelist. Firewalls such as pf-sense can have an ___.

Endpoint Detection and Response (EDR) (Page. 337)

An _____ is an advanced solution that is better than anti-virus or anti-malware. It is a centralized console that continuously monitors the computer, and makes automatic alerts when a threat has been detected. It uses machine learning to detect threats and can detect file-less viruses.

Data Loss Prevention (DLP) (Page. 337)

An endpoint ____ solution can be set up so that it can protect data on your computer from being stolen by using email or a USB drive. ____ can also protect any data that has a pattern match, such as PII information or sensitive data. Example- I have a file called new business contacts and I want to ensure that it cannot be stolen. It does not have a pattern match. However, I can use the ____ solution, select the file, and a pattern match will be assigned to the file. When someone tries to email the file, it will be blocked by the ____ system.

Input Validation (Page. 340)

Controlling inputs to an application is vital to ensure that buffer overflow, integer overflow, and SQL injection attacks cannot be launched against applications and databases. Input validation is where data is entered either using a web page or wizard. Both are set up to only accept data in the correct format within a range of minimum and maximum values. Example- Have you ever completed a web form quickly and maybe put your zip code into another field? This results in an error in the form and it fails to process the submit button. The webform then has a list at the top, in red, of the incorrect parameters, with a red star next to each of them. Once you have corrected the entries, the form will accept and submit them.

Manufacturing (SCADA) (Page. 352)

Creating all components to _____ a product such as a computer. One part of the factory creates the motherboard and another creates the cases, we import RAM, sound and graphics cards, and all of these are assembled in the production department.

Testing (Environment) (Page. 356)

Developers integrate all of their work into a single application, software ____ ensure that the functionality of the program fulfills the specifications. They may also employ a secure coding freelancer to carry out regression _____ to ensure that the application is fit for production. At this stage, we are not looking at how it affects the production environment, as this is completed at staging.

Code Reuse/Dead Code (Page. 361)

Developers like to keep code libraries where they store their source code. If they need to develop an application, they may start with the old code and then modify it for the new application. _____ is code that is never executed. It also consumes resources and should be removed as it serves no purpose.

Normalization (Page. 361)

Each database has a list of tables that are broken down into rows and columns. In a large relational database, data may be retained in multiple places. The goal of _____ is to reduce and eliminate the redundancy to make fewer indexes per table and make searching much faster.

Cost (Constraints) (Page. 354)

Embedded systems are mainly customized, and when the new product is released, the ____ of purchase is outside the range of normal users.

Network (Constraints) (Page. 354)

Embedded systems are not scalable, and some can only communicate through Wi-Fi or Bluetooth and are short-ranged. It is difficult to transfer data from one system to another.

Early Launch Anti-Malware (Page. 336)

In a Windows computer, ________ tests that all drivers that are being loaded are signed and prevents rogue drivers from loading. It also detects rootkits and other malware on boot up and prevents them from loading.

Scalability (Pages. 113 & 355)

Is the ability of a company to grow while maintaining a resilient infrastructure. It enables the company to grow faster than an on-premises company that needs to invest more money into bricks and mortar.

Memory Management (Page. 361)

It is important that, when a developer writes an application, they control how much ____ it can consume as this can create performance issues. _____ leaks are where written applications consume more memory than they need and, over a period of time, starve other applications of the memory that they need.

Range (Constraints) (Page. 354)

Many embedded systems may have a very short _____, and so are not scalable.

Hardware Upgrade/Patching (Constraints) (Page. 354)

Most embedded devices cannot have their _____, and some cannot patch. In fact, some vendors do not produce patches.

Secure Boot and Attestation (Page. 336)

Operating Systems such as Windows 10 can perform a secure boot at startup where the OS checks that all of the drivers have been signed. If they have not, the boot sequence fails as the integrity of the system has been compromised. This can be coupled with ______, where the integrity of the software has been confirmed.

Crypto (Constraints) (Page. 354)

PKI needs at least a 32-bit processor, and embedded devices are limited to 8 or 16, so you will need significant overhead when trying to authenticate, and this may well be very slow.

Data Exposure (Page. 361)

Sensitive data is normally encrypted to prevent it from being stolen by attackers; this would include passwords and credit card details. We should limit the amount of data allocated to a user who is using an application, and we should also use input validation and DLP to protect our data.

Authentication (Constraints) (Page. 354)

Some embedded systems are incapable of joining a network and only have the ability to log in locally.

Auto-Updates/Third-Party Updates (Page. 344)

The Microsoft Windows Server Update Services (WSUS) server can automatically roll out vendor and _____. Once the updates have been tested, they can be set up to automatically update your OS. Another method of ________ is Group Policy.

Self-Encrypting Drives (SEDs) (Page. 344)

The ___ are Solid State Drives (SSDs) and are purchased already set to encrypt data at rest. The encryption keys are stored on the hard drive controller. Therefore, they are immune to a cold boot attack and are compatible with all Operating Systems. The drives have a security mechanism allowing the drive to be locked to prevent unauthorized users from accessing the data. Only the computer user and the vendor can decrypt the drives.

Trusted Platform Module (TPM) (Page. 344)

The ____ chip is stored on the motherboard and is used to store the encryption keys so that when the system boots up, it can compare the keys and ensure that the system has not been tampered with.

Registry (Page. 343)

The ____ is a database of all the settings on your computer, and gaining access to the ____ can allow someone to cause damage to the computer. If you make a change in control, that change is reflected in your ____. There are a group of settings called hives and there are five main hive keys. These start with HKEY__.

Unified Extensible Firmware Interface (UEFI) (Page. 336)

The ____ is a modern version of the Basic Input/Output System (BIOS) that is more secure and is needed for a secure boot of the OS.

Production (Environment) (Page. 356)

The _____ environment is where the application goes live, and end-users have the support of the IT team. The end-users will be asked to give as much feedback as they can if the application has any problems that were not picked up beforehand.

Elasticity (Pages. 112 & 355)

The cloud is like a pay-as-you-go model where one day can increase resources and then the next day you can scale down the resources. You can even add more processor power, faster disks, more memory, or dual network cards whenever you want.

Development (Environment) (Page. 356)

The first stage of ____ an application is to use the most secure programming language for the task and hand. There may be more than one application developer involved in the _____. The application will go through different versions before it is complete, and these can be tracked by using version numbers.provisioning.

Use of Third-Party Libraries (Page. 361)

The use of apps on mobile devices is a fierce marketplace where, as soon as you purchase a domain name, someone has emailed you offering you a good deal on mobile apps for your business. There are many ____ that have many pieces of code, and although they may not be perfect, this is a fast way to get your application to market. There is a danger that some parts of a _____ may not be secure. Treat them as a security risk.

Narrow-Band (Page. 353)

These are short-range, wireless applications that are used, for example, with security Radio-Frequency Identification (RFID) or keyless vehicle entry products.

Subscriber Identity Module (SIM) Cards (Page. 353)

These are small computer chips that contain the information that allows you to connect to your telecoms provider to make calls, send text messages, or use the internet.

Zigbee (Page. 353)

These chips are integrated with microcontrollers and radios. They are powered by a battery as they are low cost and low power. Example- Examples of use include Abode smart security system, Bosch security, Bosch security systems, and Honeywell thermostats.

Industrial (SCADA) (Page. 352)

This could be converting raw materials such as iron ore into steel. You could convert raw sewage into clean water.

Arduino (Page. 352)

This is an open-source programmable microprocessor/microcontroller. These boards are programmable through a USB. They are able to read inputs whether it be a light on a sensor, or an activity such as turning on a LED, publishing something online, or activating a motor. They can be run from a 9-volt battery and can be used to control electronic components.

Field-Programmable Gate Array (FPGA) (Page. 351)

This is as close to creating your own chip as you can possibly get. The ____ takes code and stores it in multiple hardware blocks. The hardware block contains register and logic units. The ____ has absolutely no function at all. It has no processor, and this makes it very flexible. Each block can be programmed to perform a single function. ____ are super-fast as they have Gbps capability with a built-in transceiver and serial decoding. You could use an ____ to build your own supercomputer.

Raspberry Pi (Page. 351)

This is credit card size computer that allows you to run program languages such as Python or Scratch. The ____ can be plugged into a monitor or computer.

Continuous Delivery (Page. 357)

This is the process of fixing bugs before the application moves into production. This happens in the staging environment.

Continuous Integration (Page. 357)

This is the process where multiple software developers consolidate and test the code that they write to ensure that the different input codes do not conflict. This happens in the developing and testing environments.

Continuous Monitoring (Page. 357)

This is to log any failures or security vulnerabilities suffered by the application so that steps can be taken to remedy them. If there is a system failure, we can use automation to remedy the situation.

Baseband Radio (Page. 353)

This is used for audio signals over a radio frequency. Example- When truck drivers go onto a specific channel to talk to another truck driver.

Manual Code Review (Page. 341)

This is where a developer reads code line by line by line to ensure that the code is written properly and that there are no errors. This is very tedious and time-consuming.

Cellular (Page. 353)

This is where tablets and phones are using 3G, 4G, or 5G to connect to their provider without needing any other devices. ____ connections are encrypted to prevent anyone from seeing who is logging on or stealing your data.

Secure Coding Practices (Page. 341)

This is where the developer that creates software ensures that there are no bugs or flaws so that they can prevent attacks such as buffer overflow or integer injection.

A Race Condition (Page. 358)

This is where two instructions from different threads try to access the same data at the same time. When the developer wrote the application, the threads should have been programmed to access the data sequentially. An example of this would be someone viewing a file's attributes whilst, at the same time, someone else would access the file. This is known as time of check/time of use (TOCTOU). The person accessing the file could change the data and overwrite the data that is being viewed.

Staging (Environment) (Page. 356)

This is where we ensure quality assurance before we roll it out to production. We test the new application with real data in a sandbox environment so that the end-users who will be using the applications ensure it is fit for purpose and that all the reports that they need are available. At this ___, the application is signed off as being fit for purpose. They quality assurance of the product is fulfilled.

Fuzzing (Page. 342)

This is where we will put random information into an application to see whether the application crashes or causes memory leaks or error information to be returned. The white box pen tester uses this to remedy any potential problems before a new application is released. The black box will use fuzzing to find any vulnerabilities with the application. This is also known as improper input validation.

Measured Boot (Page. 336)

This was first adopted with Microsoft Windows 8, where all components from the firmware up to the applications and software are measured and stores this information in a log file. This log file is then stored in the Trusted Platform Module (TPM) chip on the motherboard. Anti-malware can use this information to ensure that when the system boots up, the software is trustworthy.

Operating System (Page. 343)

To harden an ___, the ___ must have the latest patches and updates. Subscribing to security bulletins from the vendor helps to get updates when new patches are released.

Facilities (SCADA) (Page. 352)

Used for buildings management to control the temperature by using a Heating, Ventilation and Air Conditioning (HVAC).

Energy (SCADA) (Page. 352)

Used for creating electricity and used by oil and gas refineries.

Logistics (SCADA) (Page. 352)

When a business orders desktops in bulk from Dell, the computer, mouse, keyboard, and monitor are created in different locations. ____ involves collecting all of these parts and delivering them to the customer.

Dynamic Code Analysis (Page. 341)

When developers use _____, the code is run locally, and then they use a technique called fuzzing, where a random input is inserted into the application to see what the output will be. White box pen testers use fuzzing to see the flaws and weaknesses in an application before it is rolled out to the production environment.

Static Code Analyzer (Page. 341)

When developers use ______, the code is not executed locally. Instead, they launch the _____ tool. Then the source code is run inside the tool that reports any flaws or weaknesses.

Proper Error Handling (Page. 359)

When we develop IT systems, we want the errors that are sent back to users to be very short and generic so that an attacker has very little information to use and launch further attacks. However, we want the information logged concerning errors to be as detailed as possible so that the security administrators know why the error occurred.

Hardware Root of Trust (Page. 344)

When we use certificates for FDE, they use a _____ that verifies that the keys match before the secure boot process takes place.

Implied Trust (Constraints) (Page. 354)

When you purchase an embedded system, you need to hope that there is _____, where the system operates as described in the sales brochures. You may not be able to troubleshoot these devices.

Real-Time Operating System (RTOS) (Page. 348)

____ are more reliable than desktops or servers as they are normally used for _____ applications since they process data immediately, thereby preventing buffering and buffer overflows. If a task or process does not complete within a certain time, the process will fail. ____ could be used for military systems or where robots are being used in production to ensure that processes are completed quickly.

Secure Cookies (Page. 340)

____ are used by web browsers and contain information about your session, and they can be stolen by attackers to carry out a session hijacking attack. We can set the secure flag on the website to ensure that ____ are only downloaded when there is a secure HTTPS session.

Exclusive OR (XOR) (Page. 360)

____ is a binary operand from Boolean algebra. This operand will compare two bits and will produce one bit in return, two bits that are equal to 0, and two bits that are not equal to 1. This is the opposite of binary.

Open Web Application Security Project (OWASP) (Page. 362)

____ is an international not-for-profit organization that provides an up-to-date list of the most recent web application security concerns. They rely on donations to exist.

Software Diversity (Page. 355)

____ is where a developer can take code and obfuscate it with a compiler so that an attacker cannot reverse engineer the code, allowing them to find vulnerabilities in the code.

Patch Management (Page. 344)

____ is where the Cybersecurity team obtains updates from the vendors. They test the updates on a computer in a sandbox to ensure that it will not cause any damage to either the OS or the installed applications. It might take them a few days to do the testing.

Tokenization (Page. 338)

____ takes sensitive data such as a credit card number and replaces it with random data. Therefore, it cannot be reversed. These payment gateway providers store the credit card details securely and generate a random token. ____ can help companies be Payment Card Industry Data Security Standard (PCI DSS)-compliant.

Open Ports and Services (Page. 342)

____ used by applications are endpoints for connections. Each application or protocol will use different port numbers; it is like having TV channels. If you don't go to the sports channel, then you can't watch sport. When you install an OS, some of these ports are open, so you need to close unused ports on you host-based firewall. This can be done on a Windows computer by using the netstat command to find the ____. The port number is after the colon in the Local Address column. You can use the netstat -ano command to close the port that you are not using.

Server-Side - Known As the Backend (Page. 362)

____ validation is where the user's input is sent to the server, where it is validated and then the response is sent back to the client. Programming languages such as C# and .NET are ____. Databases and domain controllers are known as ______. They will sit in the LAN.

Multifunctional Printers (MFPs) (Page. 348)

_____ are an all-in-one device consisting of at least two of the following - printer, scanner, fax, or photocopier. The weakness of each of these is that they all have a network interface and could be attacked through that interface. Any default setting or passwords must be changed.

Hypertext Transfer Protocol (HTTP) Headers (Page. 341)

_____ are designed to transfer information between the host and the web server. An attack can carry out cross-site scripting as it is mainly delivered through injecting HTTP response headers.

Surveillance Systems (Page. 348)

_____ can check cameras, speak to those on the camera, automate lights, and set alarms, and this can all be done from a smartphone. _____ now tend to be networked and are used for the security of a business or your home and the footage can be used in evidence for legal purposes. They could be attacked from the internet and the attacker could steal the information that they contain. Therefore, the default username and passwords must be changed immediately.

Continuous Validation and Verification (Page. 357)

_____ is a non-functional compliance check to ensure that the application meets the original design. ____ is where the application is tested to make sure that it is fit for its purpose and fulfills the user's requirements.

Automated Courses of Action (Page. 357)

_____ is a process normally done by using pre-written scripts, these are known as _____. We can ______ by using a SOAR system so that when an attack is detected the SOAR system can automate the action required to stop it.

Proper Input Validation (Page. 359)

_____ is controlled by using either wizards or web pages where the following is laid out: (a) Is it alphabetical? (b) Is it numerical? (c) Is it a certain format, such as a zipcode or telephone number? If the data is not input in the correct format, it will not be accepted. _____ on web pages lists errors in red at the top of the page with the incorrect entries. This prevents SQL injection, integer overflow, and buffer overflow attacks.

Obfuscation/Camouflage (Page. 360)

_____ is the process where you take source code and make it look ____ so that if it was stolen, it would not be understood. _____ the source code so that it cannot be understood by competitors. XOR and ROT 13 can be used to mask the data, and steganography can be used to hide or _____ the source code.

Sandboxing (Page. 345)

_____ is where we can install an application in a virtual machine environment isolated from our network so that we can patch, test, and ensure that it is secure before putting in into a production environment. We can investigate dangerous malware in a _____.

Anti-Virus (Page. 337)

_____ monitors websites that are being visited and the files that are being downloaded to ensure that they are not affected by viruses or Trojans. Most modern _____ solutions can carry out the role of anti-malware.

Salting (Page. 340)

_____ passwords in a database means that we take the password stored in the database and add randomized numbers to increase the compute time for a brute-force attack.

Anti-Malware (Page. 337)

_____ scans your computer for adware and spyware, and prevents malicious software from running.

Supervisory Control and Data Acquisition (SCADA) (Page. 352)

_____ systems are automated control systems consisting of multiple phrases of production.

Client-Side - Known As the Frontend (Page. 362)

_____ validation is done locally on the client so there is no network traffic. Script languages such as JavaScript, VBScript, or HTML5 attributes are used for this type of validation on the browser side. Web servers are known as _____ as they are closer to the client making the request. They will normally sit in the screened subnet. _____ is much quicker, but an attacker can exploit the JavaScript and bypass the _____.

Application Programming Interface (API) Considerations (Page. 359)

______ allow access to an application or service, or allow applications to talk to one another. In today's world, we use a vast amount of web applications and Internet of Things (IoT) devices. API threats include injecting malicious code such as XSS, SQL injection or DDoS. During authentication of a user, we could use Open Authentication (OAuth) 2.0 that uses tokens as a secure method of authentication. We need to also look at the user permissions to limit the API functions that they can access. A good way of protecting your web applications and web server would be to use a Web Application Firewall (WAF).