1. Home
  2. Flashcards
  3. Preview

Security+ SY0-701 6-4 Application Security

  1. Parameterized queries offer what?
    Offer another technique to protect applications against injection attacks.
  2. In a parametrized query does the client send SQL code to the database server?
    No. 

    Instead, the client sends arguments to the server, which then inserts those arguments into a precompiled query template. This approach protects against injection attacks and also improves database performance.
  3. What is sandboxing?
    Sandboxing is the practice of running an application in a controlled or isolated environment to prevent it from interacting negatively with other system resources or applications.
  4. In a sandboxed environment, how much access does the app have to they system?
    It has restricted access and permissions to system resources.
  5. Developers often use sandboxing for what?
    Enabling them to debug and test code in a safe, controlled environment before deploying it into production.
  6. How are sandboxes used with attackers?
    Sandboxes are isolation tools used to contain attackers within an environment where they believe they are conducting an attack but, in reality, are operating in a benign environment.
  7. What does code signing do?
    Code signing provides developers with a way to confirm the authenticity of their code to end users.
  8. How does code signing work?
    Developers use a cryptographic function to digitally sign their code with their own private key and then browsers can use the developer's public key to verify that signature and ensure that the code is legitimate and was not modified by unauthorized individuals.
  9. What does code signing protect users from?
    Malicious updates, where an attacker attempts to deploy a fake patch that actually undermines the security of an application or operating system. If systems only accept digitally signed updates, a malicious update would fail that check and be rejected by the target system.
  10. To save time, many organizations do what with code?
    They reuse code.
  11. What is a common way that code is reshared?
    Third-party software libraries and software development kits (SDK).
  12. What are SDKs?
    SDKs are collections of software libraries combined with documentation, examples, and other resources designed to help programmers get up and running quickly in a development environment.
  13. What is one security issue that you have to be aware of when using shared code?
    Security teams should ensure that outsourced code is subjected to the same level of testing as internally developed code.
  14. What are code repositories?
    Centralized locations for the storage and management of application source code.
  15. What should a security professional do when it comes to making sure that they are not dependent on a single source code, binary executable files, or compilers?
    Keep track of them, if you can not eliminate them.
  16. What are code repositories?
    Code repositories are centralized locations for the storage and management of application source code.
  17. What is version control?
    Code repositories also perform version control, allowing the tracking of changes and the rollback of code to earlier versions when required.
  18. What is also included in version control that helps track code changes?
    Security and auditing professionals can ensure that software development includes auditing and logging of changes.
  19. What is dead code?
    Where code is in use in an organization but nobody is responsible for the maintenance of that code and, in fact, nobody may even know where the original source files reside.
  20. Cybersecurity teams should also work hand in hand with developers and operations teams to ensure that applications are?
    Provisioned and de-provisioned in a secure manner through the organization's approved release management process.
  21. What is code integrity measurement?
    Code integrity measurement uses cryptographic hash functions to verify that the code being released into production matches the code that was previously approved.
  22. What happens if you are looking at the integrity measurement and it is different?
    Any deviation in hash values indicates that code was modified, either intentionally or unintentionally, and requires further investigation prior to release.
  23. What are the two application resilience principals?
    Scalability and elasticity.
  24. Application resilience - Scalability
    Scalability says that applications should be designed so that computing resources they require may be incrementally added to support increasing demand.
  25. Application resilience - elasticity
    Elasticity goes a step further than scalability and says that applications should be able to provision resources automatically to scale when necessary and then automatically deprovision those resources to reduce capacity (and cost) when it is no longer needed.
  26. Source code comments
    Placed strategically throughout code, they provide documentation of design choices, explain workflows, and offer details crucial to other developers who may later be called on to modify or troubleshoot the code.
  27. The issue with putting comments in source code?
    You can provide attackers a roadmap to how the code works.
  28. What does the compiler do with comments left in the code?
    The compiler automatically removes comments from executable files.
  29. Error handling code
    Can reveal information about the inner workings of an application.
  30. Hard coded credentials
    When developers include username and passwords in the source code.
  31. Hard-coded credentials - backdoor vulnerability
    First, the developer may create a hard-coded maintenance account for the application that allows the developer to regain access even if the authentication system fails. This is known as a backdoor vulnerability and is problematic because it allows anyone who knows the backdoor password to bypass normal authentication and gain access to the system.
  32. Hard-coded credentials - access credentials
    The second variation of hard-coding credentials occurs when developers include access credentials for other services within their source code. If that code is intentionally or accidentally disclosed, those credentials then become known to outsiders. This occurs quite often when developers accidentally publish code to a public code repository, such as GitHub, that contains API keys or other hard-coded credentials.
  33. Package monitoring
    Package monitoring involves keeping track of all the third-party libraries or packages used in your organization, understanding what they do, and being aware of any potential vulnerabilities they may have.
  34. What is usually included in package monitoring and how is it done?
    It includes regularly updating these dependencies to ensure you are using the most secure, up-to-date versions of third-party packages. Automated tools can help with this process by identifying outdated or insecure dependencies and notifying developers when updates or patches become available.
  35. What is an example of a limited resource on a computer?
    RAM
  36. What is resource exhaustion?
    Whether intentional or accidental, systems may consume all of the memory, storage, processing time, or other resources available to them, rendering the system disabled or crippled for other uses.
  37. What is an example of a resource exhaustion?
    memory leak
  38. What is a memory leak?
    In the case of an application with a memory leak, the application fails to return some memory that it no longer needs, perhaps by simply losing track of an object that it has written to a reserved area of memory. If the application continues to do this over a long period of time, it can slowly consume all the memory available to the system, causing it to crash.
  39. What happens with memory once an application is done using it?
    The memory is returned to the OS for another process to use.
  40. Pointers are a common used concept in what?
    Application development
  41. What are memory pointers?
    They are simply an area of memory that stores an address of another location in memory.
  42. Pointer dereferencing
    This simply means that the application follows the pointer and accesses the memory referenced by the pointer address.
  43. What is a buffer overflow?
    Buffer overflow attacks occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for that program's use.
  44. What is the goal of the buffer overflow?
    To overwrite other information in memory with instruction that may be executed by different processes running on the system.
  45. Memory injection
    Maliciously inserting information into memory, and it is the primary goal of a buffer overflow attack.
  46. How long do buffer overflow attacks last?
    They can last years!
  47. Integer overflow is a variant of what attack
    Buffer overflow. The result of an arithmetic operation attempting to store an integer that is too large to fit in the specified buffer.
  48. Race condition
    A difficult exploit to perform that takes advantage of the small window of time between when a service is used and its corresponding security control is executed in an application or operating system, or when temporary files are created.
  49. Time-of-check (TOC)
    Is the instance when a system verifies access permissions or other security controls.
  50. Time-of-Use (TOU)
    is the moment when the system accesses the resource or uses the permission that was granted.
  51. The Target of Evaluation (TOE)
    refers to the particular component, system, or mechanism being evaluated or tested for potential vulnerabilities, such as the system's method of managing and validating access permissions.
  52. What is the result of resource exhaustion?
    The system could be disabled or crippled for other uses.
Author
andres666
ID
364162
Card Set
Security+ SY0-701 6-4 Application Security
Description
Updated

  1. Home
  2. Flashcards
  3. Preview