Software Security

Three types of value when talking about Assets

1. Hold value 2. Produce value 3. Provide access to value

JSON Web Tokens (JWT) have the following structure:

A header, a payload and a signature

This type of attacker is motivated by national interest:

Advanced Persistent Threat

Vulnerability

Any weakness in an asset that makes it susceptible to attack or failure

Asset

Anything you deem to have value

What is Broken Authentication

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise sensitive data.

Session ID's are considered strong if they

Are uniquely generated per user and a new one is issued when a user authenticates

What is Interactive Application Security Testing?

Assesses applications from within using software instrumentation.

When validating inputs you should do all but:

Assume the client would check to make sure that the input was accurate before sending it

When whiteboarding a threat model we should identify the following: who, what, why, how, impact, and

Counter measure

This type of attacker is motivated by money:

Cyber Criminal

To defend against sensitive data exposure

Encrypt data in motion, at rest and put proper protections around data in use.

Which of the below are actions that are deemed threats?

Errors Failure Attack

It's okay to grant read access to a production database to the CEO of a company.(T/F)

False

It's okay to store a password in plain text since it would be difficult for an attacker to gain access to the filesystem or database that it is stored in. (T/F)

False

JSON Web Token (JWT) can be used to Authorize a user but not transmit information about that user.(T/F)

False

Logging access to sensitive information is not useful. (T/F)

False

Availability

Information is available for use by legit users when it is needed

Confidentiality

Information is only available to those who should have access

A user goes to a e-commerce website to purchase a new shirt. When the user checks out they notice that the price is in the URL as a parameter. They modify the price in the URL and are able to send a reduced price to the e-commerce site in order to get a cheaper product. This is an example of a lack of?

Integrity

Tampering is:

Intentional modification of products in a way that would make them harmful to the consumer.

Threat

Intentional or unintentional actions that can reduce the value of an asset Ex. Attack, Failure, Error

What is Dynamic Analysis?

Is a black-box security testing methodology in which an application is tested from the outside in by examining an application in its running state

Denial of Service is:

Is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host.

What is Run-Time Application Security Testing?

Is a security technology that uses runtime instrumentation to detect and block computer attacks.

What is a Web Application Firewall?

It applies a set of rules to an HTTP conversation.

Spoofing is:

One person or program successfully masquerades as another by falsifying data.

There are two types of authorization tokens in OAuth

Refresh and Access Tokens

One method of ensuring the security of a 3rd party component is to

Request documentation related to the 3rd parties security.

There are several types of injection attacks, but two query types are:

SQL, LDAP

OAuth presents the user with the permissions that are being requested by the application. These requested permissions are called:

Scopes

STRIDE is:

Spoofing, tampering, repudiation, information disclosure, DoS, Elevation of privilege

Security dangers related to using a 3rd party component include all but:

The component may not work as advertised.

Symmetric Encryption is

Using a single key to encrypt and decrypt data

Asymmetric encryption is

Using two different keys to encrypt and decrypt data

CWE - Common Weakness Enumeration is:

A community-developed list of common software security weaknesses.

CVE - Common Vulnerabilities and Exposures is:

A list of common identifiers for publicly known cyber security vulnerabilities.

OpenID is

A standard and decentralized authentication protocol

What is a salt?

A value that can be added to another value before hashing it

What is a Penetration Test?

An authorized simulated attack on a computer system, performed to evaluate the security of the system.

What is Static Analysis

Attempt to highlight possible vulnerabilities within non-running source code.

A user goes to their browser and enters in google.com in the address bar. However, the browser returns an error that states "This site can't be reached". Which of the following is this a lack of?

Availability

The ASVS can be used, with some modification, to create security requirements, be used by testers to determine whether the application features are secure, as well as:

Being used by penetration testers to provide a report of tests and findings.

Dependency Check is used during which part of the Software Development Life Cycle

Build

How are web sites susceptible to injection

By not scrubbing or sanitizing user input

There is a score that is derived from the qualities of a vulnerability to provide a level of severity (low, medium, high, critical).

CVSS (Common Vulnerability Scoring System)

How does Dependency Check know that there are vulnerabilities in a 3rd party library

Compares the components being used to identified CVE's in the National Vulnerability Database

Who or what sets the Content Security Policy header value?

Configuring the web server

One way for Web applications to maintain sessions in order to keep track of anonymous users after the very first user request is to use:

Cookies

Integrity

Data is known to be correct and trusted

Data that I should put in my log.

Date and time of a failed login attempt

Which of the below are actions that are deemed threats?

Failure Attack Errors

A hash can be decrypted with enough specially configured processors. (T/F)

False

A strength of a Web Application Firewall is that it can permanently solve vulnerabilities that it finds. (T/F)

False

A user can only have a session after authenticating (post-authentication) with a Web site, but not before.(T/F)

False

Being able to view data from another account on my online banking web site is an example of broken authentication. (T/F)

False

It takes more money and security tools to protect against a script kiddie than an advanced persistent threat. (T/F)

False

Once I am authenticated to a system I should be allowed to access all data and files on that system. (T/F)

False

Once secrets are stored in a secure location, it's not necessary to monitor access to the location.(T/F)

False

Reflected XSS is when a script is stored in a persistent state in the web application and then later presented to a victim. (T/F)

False

The difference between HIPAA and PCI is HIPAA protects financial information and PCI protects healthcare data (T/F)

False

The issue with Asymmetric encryption is the exchanging of the single key (T/F)

False

The more points of interaction your application has the smaller the attack surface.(T/F)

False

Threats to computer systems and applications are in the form of electronic threats like failures and bugs but don't include natural disasters.(T/F)

False

When choosing to fix an identified threat, you should fix the high risk, high cost ones first. (T/F)

False

(T/F) If I have data that is worth roughly $5,000 dollars, I should spend as much as I can to protect it since $5,000 is a fair amount of money

False - Work Factor Principle

A misuse or abuse case is

How a malicious attacker can perform a workflow that counters normal user activity.

There are several ways to handle identified risks including all except:

Ignore

Acceptable places to put the password for an account that needs access to an external system are the following except:

In compiled code

What is Security Misconfiguration

Is the absence of secure settings whether it's within the application, framework, database, web server or platform.

Elevation of privilege is the "E" in STRIDE and means:

Is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

What is Sensitive Data Exposure

Is the breach of data which should've been, otherwise, protected.

Authentication mechanisms can be considered broken in all but the following scenarios:

Limiting the number of attempts a user has to get their password correct

HIPPA establishes policies and procedures for

Maintaining the privacy and security of individually identifiable health information.

PCI DSS is an information security standard used to

Protect credit card data

Digital Certificates

Prove identity and ownership of the private key

If a user has forgotten their password, the best way to resolve this is:

Provide a reset function that sends them a one-time password and then immediately have them reset the password upon successful login

CVSS - Common Vulnerabilities Scoring System is:

Provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.

What is Using Known Vulnerable Components

Refers to application frameworks, libraries or other software modules integrated into an application; such components are usually written by a 3rd Party but this is not exclusive. These components may be vulnerable.

In an XML External Entity attack an attacker can call external or system level resources like an external website or the password file a Linux machine. If we wanted to protect against this we should

Server-side whitelist validation Sanitization Disallow access to sensitive locations by the XML processor

Repudiation is the "R" in STRIDE and means:

State of affairs where the author of a statement will not be able to successfully challenge the authorship of the statement or validity of an associated contract

When considering the impact of a successful attack, it's important to realize that there are two kinds of impacts.

Technical & Business

Information Disclosure is the "I" in STRIDE and means:

The intentional or unintentional release of secure or private/confidential information to an untrusted environment.

What is Cross-Site Scripting

The subverting of web pages or websites by attackers through the use of scripting languages.

A hazard is a potential source of harm or danger and a threat is a specific type of hazard involving an abuser potentially harming an asset. (T/F)

True

A risk is the potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.(T/F)

True

A secure cookie has the following attributes: marked secure, HTTPOnly, and Max-Age and expires is not set (T/F)

True

A strength of Interactive Application Security Testing is that it works well in a DevSecOps environment. (T/F)

True

A weakness of Dynamic Analysis is that it can't locate the line of code when an issue is found. (T/F)

True

A weakness of Run-Time Application Security Testing is there is potential to block legitimate traffic. (T/F)

True

An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.(T/F)

True

An attacker that uses ransomware to demand money from a user or an organization is most likely a cyber criminal. (T/F)

True

Applications are susceptible to insecure deserialization if they deserialize hostile or tampered objects supplied by an attacker. (T/F)

True

Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies or integrations. (T/F)

True

Content Security Policy protects against Cross Site Scripting by limiting what can be executed by the browser using a white list set of values like script-src (T/F)

True

Deserialization is taking data structured from some format, and rebuilding it into an object. (T/F)

True

Digital certificates offload the trust of a website to a 3rd party. (T/F)

True

OAuth allows a user to delegate access to their information to a another entity like a Web site without giving them their password. (T/F)

True

OWASP Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible. (T/F)

True

Once a session has been established after authentication, it is the equivalent of the strongest authentication method used by the application.(T/F)

True

One defense mechanism for using a 3rd party component is to sign up for security notifications (T/F)

True

Protecting against injection can be achieved by using prepared statements, scrubbing input, and never trusting the user input. (T/F)

True

Risk is the potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.(T/F)

True

Role-based access control (RBAC) is a policy-neutral access-control mechanism defined around roles and privileges.(T/F)

True

Secure code reviews should leverage a threat model in order to find hot spots in the application and also to make sure that the threat model is up to date with the code.(T/F)

True

Session Management can be achieved using cookies where the user is given a cookie with a session ID that is then presented back to the server each time the user accesses the server. (T/F)

True

Sessions are a sequence of network HTTP request and response transactions associated to the same user.(T/F)

True

Setting Content Security Policy will not only block an unwanted execution but will also report the attempt. (T/F)

True

The ASVS has three levels. Level 3 signifies an application that is using a large amount of sensitive data and can cause harm if it is unavailable.(T/F)

True

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. (T/F)

True

The SKF (Security Knowledge Framework) has descriptions of different types of attacks and will show examples of how to mitigate those attacks?(T/F)

True

The SKF (Security Knowledge Framework) has examples of secure code for multiple languages? (T/F)

True

The business impact stems from the technical impact but requires a deep understanding of what is important to the company running the application. (T/F)

True

When handling file upload/download it's best to configure the upload directory so files cannot be executed.(T/F)

True

To defend against security misconfiguration:

Understand what you have and ensure it is properly configured to allow least privilege.

All of the below are possible consequences of SQL injection except:

Updating the digital certificate used by the web server

What is Injection

When untrusted data is sent to an application and that data can then be interpreted by the program for the purpose of exposing unauthorized information.

The benefits of threat modeling are all, except:

Will fix all your security issues.