SY0-601 14 Summarizing Secure Application Concepts
Automation
Using scripts and APIs to provision and deprovision systems without manual intervention.
Vertical privilege escalation
When an attacker can perform functions that are normally assigned to users in higher roles, and often explicitly denied to the attacker.
Document Object Model (DOM)
When attackers send malicious scripts to a web app's client-side implementation of JavaScript to execute their attack solely on the client.
command injection
Where a threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application.
Block list
A security configuration where access is generally permitted to any entity (software process, IP/domain, and so on) unless the entity appears on a list.
Agile development
A software development model that focuses on iterative and incremental development to account for evolving requirements and expectations.
waterfall model
A software development model where the phases of the SDLC cascade so that each phase will start only when all tasks identified in the previous phase are complete.
stress testing
A software testing method that evaluates how software performs under extreme load.
DLL injection
A software vulnerability that can occur when a Windows-based application attempts to force another running application to load a Dynamic Link Library (DLL) in memory that could cause the victim application to experience instability or leak sensitive information.
pointer dereference
A software vulnerability that can occur when code attempts to read a memory location specified by a pointer, but the memory location is null.
Memory leaks
A software vulnerability that can occur when software does not release allocated memory when it is done using it, potentially leading to system instability.
Race conditions
A software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.
Data exposure
A software vulnerability where an attacker is able to circumvent access controls and retrieve confidential or sensitive data from the file system or database.
Extensible Markup Language (XML)
A system for structuring documents so that they are human- and machine-readable. Information within the document is placed within tags, which describe how information within the document is structured.
Clickjacking
A type of hijacking attack that forces a user to unintentionally click a link that is embedded in or hidden by other web page elements.
session hijacking
A type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address.
arbitrary code execution
A vulnerability that allows an attacker to run their own code or a module that exploits such a vulnerability
remote code execution
A vulnerability that allows an attacker to transmit code from a remote host for execution on a target host or a module that exploits such a vulnerability.
Test/integration
in this environment, code from multiple developers is merged to a single master copy and subjected to basic unit and functional tests (either automated or by human testers). These tests aim to ensure that the code builds correctly and fulfills the functions required by the design.
Visual Basic for Applications (VBA)
Programming languages used to implement macros and scripting in Office document automation.
continuous delivery
Software development method in which app and platform requirements are frequently tested and validated for immediate availability.
continuous deployment
Software development method in which app and platform updates are commited to production rapidly.
Continuous integration (CI)
Software development method in which code updates are tested and commited to a development or build server/code repository rapidly.
client-side or cross-site request forgery (CSRF or XSRF)
A malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser.
canonicalization attack
Attack method where input characters are encoded in such a way as to evade vulnerable input validation measures
compiled code
Code that is converted from high-level programming language source code into lower-level code that can then be directly executed by the system.
Output encoding
Coding methods to sanitize output created from user input.
Python
High-level programming language that is widely used for automation.
quality assurance (QA)
Policies, procedures, and tools designed to ensure defect-free development and delivery.
code review
The process of peer review of uncompiled source code by other developers.
Horizontal privilege escalation
When a user accesses or modifies specific resources that they are not entitled to.
server-side request forgery (SSRF)
causes the server application to process an arbitrary request that targets another service, either on the same host or a different one. exploits both the lack of authentication between the internal servers and services (implicit trust) and weak input validation, allowing the attacker to submit unsanitized requests or API parameters.
Staging
this is a mirror of the production environment but may use test or sample data and will have additional access controls so that it is only accessible to test users. Testing at this stage will focus more on usability and performance.
Structured Query Language (SQL)
A programming and query language common to many largescale database systems. SQL
input validation
Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application.
uniform resource locator (URL)
Application-level addressing scheme for TCP/IP, allowing for human-readable resource addressing. For example: protocol://server/file, where "protocol" is the type of resource (HTTP, FTP), "server" is the name of the computer (www.microsoft.com), and "file" is the name of the resource you wish to access.
Percent encoding
Mechanism for encoding characters as hexadecimal values delimited by the percent sign.
Deprovisioning
The process of removing an application from packages or instances.
Software Restriction Policies (SRP)
available for most versions and editions of Windows, SRP can be configured as group policy objects (GPOs) to passlist file system locations from which executables and scripts can launch. Rules can also be configured by publisher signature or by file hash. There is also support for creating blocklist-based rules.
Credential dumping
the malware might try to access the credentials file (SAM on a local Windows workstation) or sniff credentials held in memory by the lsass.exe system process (attack.mitre.org/tactics/TA0006).
Software development kit (SDK)
using sample code or libraries of pre-built functions from the programming environment used to create the software or interact with a third party API. As with other third party libraries or code, it is imperative to monitor for vulnerabilities.
Normalization
A routine that applies a common consistent format to incoming data so that it can be processed safely. Normalization is referred to in the context of log collection and software coding.
Allow list
A security configuration where access is denied to any entity (software process, IP/domain, and so on) unless the entity appears on the list.
PowerShell
A command shell and scripting language built on the .NET Framework.
Bourne Again Shell (Bash)
A command shell and scripting language for Unix-like systems.
Fuzzing
A dynamic code analysis technique that involves sending a running application random and unusual input so as to evaluate how the app responds.
cross-site scripting (XSS)
A malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser's security model of trusted zones.
reverse shell
A maliciously spawned remote command shell where the victim host opens the connection to the attacking host.
structured exception handler (SEH)
A mechanism to account for unexpected error conditions that might arise during code execution. Effective error handling reduces the chances that a program could be exploited.
pass the hash (PtH)
A network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on.
Directory traversal
An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
Lightweight Directory Access Protocol (LDAP) Injection
An application attack that targets webbased applications by fabricating LDAP statements that are typically created by user input.
exceptions
An application vulnerability defined by how an application responds to unexpected errors that can lead to holes in the security of an app.
integer overflow
An attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow.
buffer overflow
An attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. This can allow the attacker to crash the system or execute arbitrary code.
SQL injection
An attack that injects a database query into the input data directed at a server by accessing the client side of the application.
man-in-the-browser (MitB)
An attack when the web browser is compromised by installing malicious plug-ins or scripts, or intercepting API calls between the browser process and DLLs.
replay attack
An attack where the attacker intercepts some authentication data and reuses it to try to re-establish a session.
Dead code
Code in an application that is redundant because it will never be called within the logic of the program flow.
error handling
Coding methods to anticipate and deal with exceptions thrown during execution of a process.
server-side
In a web application, input data that is executed or validated as part of a script or process running on the server.
time of check to time of use (TOCTTOU)
The potential vulnerability that occurs when there is a change between when an app checked a resource and when the app used the resource.
Version control
The practice of ensuring that the assets that make up a project are closely managed when it comes time to make changes.
privilege escalation
The practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application.
Provisioning
The process of deploying an application to the target environment, such as enterprise desktops, mobile devices, or cloud infrastructure.
Execution control
The process of determining what additional software may be installed on a client or server beyond its baseline to prevent the use of unauthorized software.
shim
The process of developing and implementing additional code between an application and the operating system to enable functionality that would otherwise be unavailable.
Refactoring
The process of restructuring application code in such a way that the same functionality is provided by different programming methods. Refactoring is often used to improve an application's design without affecting the external behavior of the application, or to enable it to handle particular situations.
Static code analysis
The process of reviewing uncompiled source code either manually or using automated tools.
software development life cycle (SDLC)
The processes of planning, analysis, design, implementation, and maintenances that often govern software and systems development.
Elasticity
The property by which a computing environment can instantly react to both increasing and decreasing demands in workload.
Scalability
The property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.
continuous monitoring
The technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon.
macro
a sequence of actions performed in the context of a word processor, spreadsheet, or presentation file
HTTP Strict Transport Security (HSTS)
forces browser to connect using HTTPS only, mitigating downgrade attacks, such as SSL stripping.
Windows Defender Application Control (WDAC)
formerly Device Guard, this can be used to create Code Integrity (CI) policies, which can be used on their own or in conjunction with AppLocker. CI policies apply to the computer and affect all users. CI policies can be based on version-aware and publisher digital signatures, as well as image hashes and/or file paths. WDAC is a useful option for preventing administrator accounts from disabling execution control options
AppLocker
improves configuration options and default usage of SRP. Notably AppLocker policies can be applied to user and group accounts rather than just computer accounts. However, AppLocker GPOs can only be configured for Enterprise and Ultimate editions of Windows 7 and later.
Content Security Policy (CSP)
mitigates clickjacking, script injection, and other client-side attacks. Note that X-Frame-Options and X-XSS-Protection provide mitigation for older browser versions, but are now deprecated in favor of CSP.
Cache-Control
sets whether the browser can cache responses. Preventing caching of data protects confidential and personal information where the client device might be shared by multiple users.
Production
the application is released to end users.
Development
the code will be hosted on a secure server. Each developer will check out a portion of code for editing on his or her local machine. The local machine will normally be configured with a sandbox for local testing. This ensures that whatever other processes are being run locally do not interfere with or compromise the application being developed.
Lateral movement/insider attack
the general procedure is to use the foothold to execute a process remotely, using a tool such as psexec (docs.microsoft.com/en-us/sysinternals/downloads/psexec) or PowerShell (attack.mitre.org/tactics/TA0008). The attacker might be seeking data assets or may try to widen access by changing the system security configuration, such as opening a firewall port or creating an account. If the attacker has compromised an account, these commands can blend in with ordinary network operations, though they could be anomalous behavior for that account.
Persistence
this is a mechanism that allows the threat actor's backdoor is restarted if the host reboots or the user logs off (attack.mitre.org/tactics/TA0003). Typical methods are to use AutoRun keys in the registry, adding a scheduled task, or using Windows Management Instrumentation (WMI) event subscriptions.
Shellcode
this is a minimal program designed to exploit a buffer overflow or similar vulnerability to gain privileges, or to drop a backdoor on the host if run as a Trojan (attack.mitre.org/tactics/TA0002). Having gained a foothold, this type of attack will be followed by some type of network connection to download additional tools.
Third-party library
using a binary package (such as a dynamic link library) that implements some sort of standard functionality, such as establishing a network connection or performing cryptography. Each library must be monitored for vulnerabilities and patched promptly.
Code reuse
using a block of code from elsewhere in the same application or from another application to perform a different function (or perform the same function in a different context). The risk here is that the copy and paste approach causes the developer to overlook potential vulnerabilities (perhaps the function's input parameters are no longer validated in the new context).
Stored procedures
using a pre-built function to perform a database query. A stored procedure is a part of a database that executes a custom query. The procedure is supplied an input by the calling program and returns a predefined output for matched records. This can provide a more secure means of querying the database. Any stored procedures that are part of the database but not required by the application should be disabled.