D385: Logging and Security Issues

Ace your homework & exams now with Quizwiz!

What do system monitoring and review of audit trails provide?

- Accountability

ALE

- Annualized Loss Expectancy

Integration Testing Types

- Big Bang - Bottom Up - Top Down - Sandwich

Which two classes does the bdb module implement?

- Breakpoint - Bdb

Attributes of Intelligible Exceptions?

- Brief - Meaningful - Actionable

CSRF Mitigation

- CSRF tokens - SameSite cookies - avoid using GET requests for state-changing actions

CDI/UDI

- Constrained Data Interface - UnConstrained Data Interface

Dynamic Analysis

- DAST - performed by executing programs on a real or virtual processor in real time - find security errors in a program while it is running - cannot provide exact location where problems reside

What are the logging levels and values?

- DEBUG = 10 - INFO = 20 - WARNING = 30 - ERROR = 40 - CRITICAL = 50

Phases of Penetration Test?

- Data collection - Vulnerability assessment - Actual Exploit - Result in analysis and report preparation

Which test is solely black box testing?

- Integration testing

Which protocol caches a token after it has been acquired?

- MSAL

MTBF

- Mean Time Before Failure

MTTR

- Mean Time to Repair

MTSR

- Mean Time to Service Repair

What standard specifies minimum security requirements for audit data (logs)?

- NIST FIPS 200

When practicing defensive programming, what should your attitude about data be?

- Never trust data

6 important aspects of OSSTMM?

- Open Source Security Testing Methodology Manual 1. project scope 2. confidentiality 3. change process 4. test plan 5. test process 6. reporting standard

What does cross-origin resource sharing (CORS) allow users to do?

- Override same starting policy for specific resources

Three Assertion Categories?

- Precondition: something that must be true at the start of a function in order for it to work correctly - Postcondition: something that the function guarantees is true when it finishes - Invariant: something that is always true at a particular point inside a piece of code

What are the popular Python unit testing frameworks?

- PyUnit (built-in) - PyTest

SSRF

- Server-side Request Forgery - attacker us able to send requests on behalf of the server - allows attackers to forge the request signature and assume a privileged position on a network, bypassing firewall controls, and gaining access to internal services

What does a Session require?

- Session ID (randomly generated) - Cookies (never contain sensitive data) - session expiration

SLE

- Single Loss Expectancy

What should be Penetration Tested?

- Software - Hardware - Network - Processes - End-user behavior

How many arguments does the clear_break() method take?

- Two - filename, line number

What Data should be Validated?

- User input - Internal data - External data

Which logging function may indicate an impending full disk?

- WARNING - indicates that there could be a problem in the immediate future

Integration Testing Issues

- When to integrate? - Who does the testing? - What methods?

What kind of attacks does Client-side Testing look to prevent?

- XSS - SQLi - CORS - Clickjacking - HTML injection

What kind of defects does Static Analysis find?

- XSS - SQLi - configuration mistakes - patch errors - vulnerabilities introduced in the runtime environment

XML External Entity Attacks

- XXE - when attackers exploit an XML parser to read arbitrary files on your server - attackers might also be able to read config files, retrieve user information

What are Assertion statements?

- a statement that something must be true at a certain point in a program - if true the program does nothing - if false the program halts immediately and prints an error message (if one is provided)

Advantages of Static Code Analysis?

- access to the actual instructions the software will execute - can find the exact location of weaknesses in the code - can be conducted by trained software developers who understand the code - allows quick turnaround time - relatively fast if automated tools are used - automated tools can scan the entire code base - automated tools can provide mitigation recommendations - issues found earlier in the development lifecycle

Integration Testing

- after unit testing put together to test together

Defensive Coding Basic Concepts?

- all data is important - all data is tainted - all code is insecure - design by contract - sanitize (make sure no attack characters)

Recoverability

- application bounces back with minimal impact to data - data resumes being usable

What is the general structure of an assertion statement?

- assert expression [assertion_message]

What is defensive programming?

- assuming mistakes will happen and guarding against them - assertions are the most common way of doing this - code checks itself as it runs - always check, validate, and sanitize data

Limitations of Dynamic Code Analysis

- automated tools provide false sense of security - automated tools provide false positives, false negatives - only as good as the rules given - not enough trained professionals - difficult to trace vulnerability back to exact location, makes fixing the problem take longer

Successful Security Test Execution Includes?

- baseline and benchmark tests have been performed - automated test scripts have been validated as correct - re-benchmarking testing has been conducted after tuning - a basis for future test comparison has been created - test results of the security test case execution have been analyzed

When to Validate Data?

- before data is used - when data moves

Which three QA security-specific test type categories must be performed on software?

- benchmark - scheduled - exploratory

Which attribute provides a dictionary of breakpoint instances?

- bplist - maintains a (file, line) tuple of breakpoints

A security analyst has noticed a vulnerability in which an attacker took over multiple user's accounts. Which vulnerability did the security analyst encounter?

- broken access control

Types of Vulnerabilities found by Dynamic Analysis

- buffer overflow - SQLi - XSS - memory leaks - weak ciphers - DOES NOT find runtime vulns

Secure Unit Testing

- check for bad input - bypass security - inject bad data

What are two common defensive coding techniques?

- check functional preconditions and postconditions - develop code with exceptions to find errors

Cross-site Request Forgery

- client-side technique used to attack other users of a web application - attackers send HTTP requests that pretend to come from the victim - attackers then carry out unwanted actions such as changing a password or transferring money from a bank account

Which three data types are considered user-provided?

- cookies - POST data payloads - URL parameters

What should be checking for when checking Parameters?

- data type - data size - data format

PDB

- debugger built into the Python standard library

Six Sigma DMADV

- define - measure - analyze - design - verify

Six Sigma DMAIC

- define - measure - analyze - improve - control

Causes of Vulnerabilities?

- design and development errors - poor system configuration - human errors - connectivity - complexity - password - user input - management - lack of training to staff - communication

What are limitations of Static Code Analysis?

- does not account for runtime vulnerabilities - requires the tester to posses both testing and software development skills - tools would have to be language specific

Unit Testing

- done as early as possible - completed by developer before checked into repository - informal

Disadvantages of Unit Testing

- done by the person that programmed it - informal - may not be thorough and might miss something

Advantages of Unit Testing

- done early on - before integration with other code

Criteria for selecting the best penetration tool?

- easy to deploy, configure, and use - scan your system easily - categorize vulnerabilities based on severity - automate the verification of vulnerabilities - re-verify the exploits - generate detailed vulnerability reports and logs

Which three actions are supported by the Python Debugger (PDB)? (Choose 3 answers.)

- establishing breakpoints - code step throughs - stack tracing

Which Python function is prone to a potential code injection attack?

- eval( ) - exec ( )

An attacker exploits a cross-site scripting vulnerability.

- execute a shell command or script

Which method is used for a SQL injection attack?

- exploiting query parameters

What are limitations of Dynamic Code Analysis?

- false negatives and false positives - dependent on the correctness of the rules - false sense of security

What are advantages of Static Code Analysis?

- fast turnaround time, especially when tools are used

What should you do when you have UDI?

- filter anything unexpected

What are basic concepts in secure testing?

- finding vulnerabilities - finding variance from policy

What Parameters should be checked?

- function parameters - constructor parameters - data parameters

Which function can be used to return all set breakpoints?

- get_all_breaks( ) - returns a string with all set breakpoints

Which SDL phase uses static code analysis?

- implementation - white box testing during the implementation phase

What does CRITICAL indicate?

- indicates catastrophic code malfunction

What does ERROR indicate?

- indicates code malfunction

What is a Session?

- interactive - temporary - connection between 2 or more devices - necessary for stateless communication

Advantages of Dynamic Code Analysis

- limited scope - no access to actual instructions being executed - requires only a running system to perform the test - no requirement to have access to source code - no need to understand how to write software - tests specific operational deployment - identifies vulnerabilities at runtime - automated tools provide flexibility on what to scan - identifies false negatives from static code analysis - validates static code analysis findings - can be conducted on any application

What does the following in a penetration test mean to find? try:transport_security = req.headers['Strict-Transport-Security']except:print ('HSTS header not set properly')

- man-in-the-middle

Benefits of CDI

- more secure - more user friendly - starts data validation

How should Loggers be instantiated?

- never instantiated directly - always through the module-level function - logging.getLogger(name)

SSRF Mitigation

- never make outbound requests based on user input - validate external addresses before initiating any outbound requests

What are the 3 tenants of Defensive Programming?

- never trust data - validate everything - robust error handling

Sensitive Data Leaks

- occurs when an application fails to properly protect sensitive information - this typically occurs through descriptive response headers, descriptive error messages with stack traces or database error messages, or revealing comments in HTML files

What does DEBUG indicate?

- only used when diagnosing software problems

What are some Python debugging tools?

- pdb: most commonly used - Web-PDB - wdb - Pyflame - objgraph

Static Analysis

- performed without actually executed programs - performed by automated software tool - SAST - provides line-of-code-level detection - allows for vulnerabilities to be remediated quickly - can be used by software developers before checking in code

Log Injection Attack Mitigation

- prefixing log entries with meta-data (i.e. timestamp) - validate the entry before accessing or opening

What are some common debugging techniques?

- printing out values of variables - changing the state ("path") of the program to make it do different things - stepping through the execution of a program line by line - breakpoints - trace points - stopping the program at certain events - viewing the output of a program in a debugger window

Regression Testing Issues

- prioritization - how much is enough - test selection - who should do the test

3 Steps to Evaluate Web Application?

- recon - discovery - exploit

Security Logs

- record access to resources such as files, folders, printers

Attributes of Constrained Data Interfaces?

- reduced text fields - constrained flow - easy to follow for end user

Which software testing method relies on using old test cases?

- regression testing

Limitations of Static Code Analysis

- requires access to the source code - requires proficiency in running software builds - will not find issues related to deployment environments - time consuming - automated programs do not support all languages - lots of false positives and false negatives - not enough trained personnel - false sense of security - automated tools are only as good as the rules give - does not find vulnerabilities in the runtime environment

Resiliency

- resistant to failure - handles unexpected situations - stable operations

Which response method, when sent a request, returns information about the server's response and is delivered back to the console?

- response.content

3 Phase Approach that optimizes the use of Static Analysis Tools?

- run all available code analysis tools - look for common vulnerability patterns - dig deep into risky code

Insecure Deserialization

- serialization is the conversion of an object in a programming language is saved into a format that can be saved to a database - DEserialization is when a serialized object is read from a file or the network and converted back into an object - INSECURE DESERIALIZATION occurs when an attacker can manipulate the serialized object and achieve authentication bypass, DOS, or arbitrary code execution

What Logger method sets the threshold for the logger instance? How does it work?

- setLevel(level) - logging messages which are less severe than "level" will be ignored - logging messages which have severity "level" or higher will be emitted by whichever handle or handlers service this logger

Unit Test

- smallest, testable pieces of code called units - verifies that each part of the code works correctly and as intended

What makes a good test case?

- specific - measurable - testable

Manual Code Review Process Steps

1. identify security code review objectives 2. perform preliminary scan 3. review code for security issues 4. review for security issues unique to the architecture

4 Step Code Review Cycle

1. identify security code review objectives 2. perform preliminary scan 3. review code for security issues 4. review the security issues unique to the architecture

What is required for Secure Sessions?

- HTTPS - tokens (invalidate on the server) - expiration of session

What is the primary defense against log injection attacks?

- strictly sanitize outbound log messages by implementing an allow list of characters- this may include the limitation of alphanumeric characters and spaces in all logs

Which package is meant for internal use by Python for regression testing?

- test

What happens when assertion condition result is false?

- the program will stop and given an error message

Unconstrained Input

- the user can input as much data as they want

What are advantages of Dynamic Code Analysis?

- there is no need to understand how to write software

What are true about assertions?

- they are conditional Boolean expressions - they have an optional message part - they are used to check the types or values of arguments

What is the central concept for the Flaw Hypothesis Method?

- to test hypothetical flaws based on priority

Which three debugging techniques require the use of a debugger? (Choose 3 answers.)

- trace points - breakpoints - code step through

User Acceptance Testing Issues

- training - focus; need the end user to prioritize testing - bias

Exception Handling

- trap all errors - specific error handling - trap on site (where it occurred)

Reliability

- uptime - responsiveness - accurate

SQL Injection Attack Mitigation

- use parameterized statements

What are two techniques of defensive programming?

- value substitution - exception handling

Standard Defect descriptions and attributes?

- what - where - how - severity - status

Injection Attacks

- when an application cannot properly distinguish between untrusted user data and code - typically allows for arbitrary code execution

A successful security test execution plan assumes?

- you have done a detailed risk analysis - test assets have been developed as part of the risk management plan

CERT Top 10 Secure Coding Practices

1. validate input 2. heed compiler warning 3. architect/design for security 4. keep it simple 5. default deny 6. least privileges 7. sanitize data 8. defense in depth 9. QA 10. standards


Related study sets

Ch 3 Lifespan Considerations-Lilley

View Set

Real Estate License Test Formulas

View Set

Computer Science Supplemental Topics #1-#32

View Set