CySA+ 002 Chapter 9 - Software and Hardware Development Security
Precompiled SQL statements that only require variables to be input are an example of what type of application security control? A. Parameterized queries B. Encoding data C. Input validation D. Appropriate access controls
A. A parameterized query (sometimes called a prepared statement) uses a prebuilt SQL statement to prevent SQL-based attacks. Variables from the application are fed to the query, rather than building a custom query when the application needs data. Encoding data helps to prevent cross-site scripting attacks, as does input validation. Appropriate access controls can prevent access to data that the account or application should not have access to, but they don't use precompiled SQL statements.
Matt wants to prevent attackers from capturing data by directly connecting to the hardware communications components of a device he is building. What should he use to make sure that communications between the processor and other chips are not vulnerable? A. Bus encryption B. A HSM C. A TPM module D. LAMP encryption
A. Bus encryption protects data in transit between the processor and other devices. An HSM is used to create, store, and manage cryptographic keys as well as to offload crypto- graphic processing, and a TPM chip is used to store cryptographic keys. LAMP encryption is made up for this question.
During a web application test, Ben discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report? A. Improper error handling B. Code exposure C. SQL injection D. A default configuration issue
A. Improper error handling often exposes data to users and possibly attackers that should not be exposed. In this case, knowing what SQL code is used inside the application can pro- vide an attacker with details they can use to conduct further attacks. Code exposure is not one of the vulnerabilities we discuss in this book, and SQL code being exposed does not necessarily mean that SQL injection is possible. Although this could be caused by a default configuration issue, there is nothing in the question to point to that problem.
Gabby wants to insert data into the response from her browser to a web application. What type of tool should she use if she wants to easily make manual changes in what her browser sends out as she interacts with the website? A. An interception proxy B. A fuzzer C. A WAF D. A sniffer
A. Interception proxies are designed to allow testers to intercept, view, and modify traffic sent from web browsers and are often used for penetration testing and web application security testing. Fuzzers are used for application testing by sending invalid data to the application, a WAF is a web application firewall, and a sniffer is useful for monitoring traffic, but not for modifying web traffic in a live, easy-to-use manner.
Kathleen wants to build a public API for a modern service-oriented architecture. What model is likely her best choice? A. REST B. SOAP C. SAML D. RAD
A. RESTful designs are the most common and popular for modern web services because of their flexibility. SOAP remains in use, but is not broadly used for public APIs. SAML is a security assertion markup language and would be useful for making security assertions, not for building a general use SOA. RAD is an application development model.
What term describes a chip that is built into a computer that stores encryption keys specific to the system that is used for hardware authentication? A. Trusted foundry B. TPM C. HSM D. SED
B. A Trusted Platform Module (TPM) stores encryption keys to be used for hardware authentication. Hardware security models (HSM) are sued to create, manage, and store encryption keys and to offload cryptographic processing. SED stands for self-encrypting drive, and a trusted foundry is a trusted validated secure microelectronics supplier or manufacturer
Adam is conducting software testing by reviewing the source code of the application. What type of cost testing is Adam conducting? A. Mutation testing B. Static code analysis C. Dynamic code analysis D. Fuzzing
B. Adam is conducting static code analysis by reviewing the source code. Dynamic code analysis requires running the program, and both mutation testing and fuzzing are types of dynamic analysis
Kristen wants to implement code review but has a distributed team that works at various times during the day. She also does not want to create any additional support load for her team with new development environment applications. What type of review process will work best for her needs? A. Pair programming B. Pass-around C. Over-the-shoulder D. Tool-assisted
B. Pass-around reviews normally rely on email to move code between developers. In Kristen's case, a pass-around review will exactly meet her needs. Pair programming and over-the-shoulder review both require developers to work together, whereas tool-assisted reviews require implementation of a tool to specifically support the review.
After a major patch is released for the web application that he is responsible for, Sam proceeds to run his web application security scanner against the web application to verify that it is still secure. What is the term for the process Sam is conducting? A. Code Review B. Regression testing C. Stress testing D. Whiffing
B. Sam is conducting a regression test, which verifies that changes have not introduced new issues to his application. Code review focuses on the application code, whereas stress testing verifies that the application will perform under load or other stress conditions. Whiffing isn't a term used in this type of reveiw
The application that Scott is writing has a flaw that occurs when two operations are attempted at the same time, resulting in unexpected results when the two actions do not occur in the expected order. What type of flaw does the application have? A. Dereferencing B. A race condition C. An insecure function D. Improper error handling
B. The application has a race condition that occurs when multiple operations cause undesirable results due to their order of completion. Dereferencing would occur if a memory location was incorrect, an insecure function would have security issues in the function itself, and improper error handling would involve an error and how it was displayed or what data it provided.
Every time Susan checks code into her organization's code repository it is tested, validated, then if accepted it is immediately put into production. What is the term for this? A. Continuous integration B. Continuous delivery C. A security nightmare D. Agile development
B. While this example includes continuous integration, the key thing to notice is that the code is then delivered/deployed into production. This means that Susan is operating in a continuous delivery/deployment environment, where code is both continually integrated and deployed. Agile is a development methodology, and often uses CI/CD, but we cannot determine if Susan is using an Agile.
Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns? A. Using secure session management B. Enabling logging on the database C. Performing user input validation D. Implementing TLS
C. Charles should perform user input validation to strip out any SQL code or other unwanted input. Secure session management can help prevent session hijacking, logging may provide useful information for incident investigation, and implementing TLS can help protect network traffic, but only input validation helps with the issue described.
During testing, Tiffany slowly increases the number of connections to an application until it fails. What is she doing? A. Regression testing B. Unit testing C. Stress testing D. Fagan testing
C. Tiffany is stress testing the application. Stress testing intentionally goes beyond the application's normal limits to see how it responds to extreme loads or other abnormal conditions beyond its normal capacity. Unit testing tests individual components of an application, and regression testing is done to ensure that new versions don't introduce old bugs. Fagan testing is a formal method of code inspection
What process checks ensure that functionality meets customer needs? A. CNA B. Stress testing C. UAT D. Unit testing
C. User acceptance testing (UAT) is the process of testing to ensure that the users of the software are satisfied with its functionality. Stress testing verifies that the application will perform when under high load or other stress, and unit testing validates individual components of the application. CNA is not a term associated with application development.
Susan's team has been writing code for a major project for a year and recently released their third version of the code. During a post-implementation regression test, an issue that was originally seen in version 1 reappeared. What type of tool should Susan implement to help avoid this issue in the future? A. Stress testing B. A WAF C. Pair programming D. Source control management
D. A source control management tool like subversion or Git can help prevent old code from being added to current versions of an application. Developer practices still matter, but knowing what version of the code you are checking in and out helps! Stress testing would help determine whether the application can handle load, a WAF or web application firewall can protect against attacks, but neither would resolve this issue. Pair programming might detect the problem, but the question specifically asks for a tool, not a process
During a Fagan code inspection, which process can redirect to the planning stage? A. Overview B. Preparation C. Meeting D. Rework
D. During the rework stage of Fagan inspection, issues may be identified that require the process to return to the planning stage and then proceed back through the remaining stages to re-review the code
What type of testing focuses on inserting problems into the error handling processes and paths in an application? A. Fuzzing B. Stress testing C. Dynamic code analysis D. Fault injection
D. Fault injection directly inserts faults into the error handling paths for an application to verify how it will handle the problem. Stress testing focuses on application load, dynamic code analysis describes any type of live application testing, and fuzzing sends invalid data to applications to ensure that they can deal with it properly.
What process is used to ensure that an application can handle very high numbers of concurrent users or sessions? A. Fuzzing B. Fault injection C. Mutation testing D. Load testing
D. Load testing is used to validate the performance of an application under heavy loads like high numbers of concurrent user sessions. Fuzzing, fault injection, and mutation testing are all types of code review and testing.
Using TLS to protect application traffic helps satisfy which of the OWASP best practices? A. Parameterized queries B. Encode data C. Validate all inputs D. Protect data
D. TLS satisfies the "protect data" best practice by ensuring that network traffic is secure. Parameterizing queries uses prebuilt SQL, while encoding data removes control characters that could be used for cross-site scripting attacks and other exploits. Validating all inputs requires treating all user input as untrusted.
What type of attack is typically associated with the strcpy functions? A. Pointer dereferencing B. A race condition C. SQL injection D. Buffer Overflow
D. strcpy does not include size information for the data it accepts, making it a popular target for buffer overflow attacks.