- Security is about the protection of ________________.
Assets
- The term cybersecurity is a synonym for ________________.
Computer Security
- Correctness is related to security in that the correctness is concerned with ensuring a system always ________________ and security is concerned with ensuring a system never ________________.
(Always) does what it is supposed to
(Never) does what it is not supposed to
- Correctness involves testing ________________cases while security involves testing ________________ cases.
Use
Misuse (or Abuse)
- What do we call the things we protect our assets from?
Threats
- A security strategy should encompass: (1) prevention, (2) ________________, and (3) ________________.
Detection
Reaction
- What should be created in the early stages of planning a system so that security is properly address throughout the software life cycle?
A threat model
- “Security is a ________________, not a ________________.”
Concern
Feature
- Every input to a program is a ________________.
Potential threat
- Name three aspects of a security mindset.
Simple architectures
Pristine source code
Layers of trust
(Other answers are possible)
- What are some high level goals that attackers may have?
Eavesdropping, spoofing, denial of service, breaking in.
Were you just going to give the one word answer “profit”?
- What kinds of security issues are not under the realm of software security?
Hardware security
Physical security (locks)
Human factors (susceptibility to bribes, threats, and phishing)
- What happened on March 25, 1854 to the Öst-Götha Bank in Sweden?
It was robbed because a blacksmith was able to remove the vault hinges, despite there being high quality locks on the vault
- The statement “The system must have a login screen” is a terrible security requirement. What should be said instead?
Only authenticated users may perform all operations
- What is CIA in software security?
Confidentiality, Integrity, Availability
- A successful compromise of confidentiality causes a system to do what?
Divulge information the attacker should not have
- A successful compromise of integrity causes what to happen?
Important data to be modified or deleted, or malicious content (malware, bots) to be added
- A successful compromise of availability causes a system to do what?
Slow to a crawl, fail to respond to all requests, or crash
- What is the difference between authentication and authorization?
Authentication is ensuring someone is who they say they are
Authorization is ensuring someone has the permission to do something
- What is non-repudiation?
The impossibility of someone denying that they performed an action
- What kind of security features can the hardware provide?
It can allow certain machine instructions to take place only in kernel mode (not user mode) so regular users can not execute harmful commands.
It can set read/write/execute permissions on memory blocks, so for example attackers can not inject code into memory and then run it.
- What kind of security features can the operating system provide?
It can protect certain resources (files, processes, memory blocks, devices) so they can only be accessed by certain users
- What kind of security features can the network services provide?
Firewalls, anti-virus, packet filtering, encryption at different layers
- What are some human factors in security?
Malicious insiders, susceptibility to bribes, susceptibility to trickery
- What is the difference between a threat and an exploit?
A threat is something that could happen; an exploit is the actual execution of an attack that compromises confidentiality, integrity, or availability. You might also see the term “exploit” for the code or data itself that carries out the attack, though that is more properly referred to as the “payload”.
- How do people usually distinguish the terms bug and flaw?
A bug is a programming mistake that is generally easy to fix; a flaw is a problem in the design
- What is a risk?
A measure of how bad things could be
- What are the phases in the software development lifecycle (SDLC)?
Ideation • Planning • Requirements Analysis and Definition • Architecture and Design • Implementation • Static Analysis and Code Reviews • Testing • Documentation • Integration • Deployment • Maintenance • Evaluation • Retirement • Disposal.
- What percentage of reported security incidents result from exploits against defects in the design or code of software?
90%.
- What does it mean to “build security in”?
It means to design and implement the core domain objects and core business logic to prevent exploits, rather than leaving security concerns to separate libraries with ad-hoc solutions.
- “Secure software is better than ________________ software.”
Security.
- Why might you not even need specific security solutions like, say, an XSS Sanitizer?
If you define your domain objects to be restricted to certain character patterns, XSS attacks can be completely avoided.
- What might happen if you don’t build security in, and you give the system to the security experts and pen testers after you finish development?
The pentesters will find a ton of problems and tell you not to release the project without a massive overhaul.
- What might happen if you don’t build security in, and you end up just deploying the system as-is?
You will get hacked and destroyed.
- Secure software development is not really about ethical hacking and penetration testing, but rather about ________________.
Disciplined software design and development.
- What are some coding constructs that increase security?
Immutability, encapsulation, error isolation, validation.
- What are techniques for
making sure improving your confidence that your code is secure? Manual code reviews and Linters.
- What kind of problems do people make when defining security requirements?
They sometimes mistake a technique or use case for a bigger concern, e.g., saying a login page is a requirement, when the actual requirement is not to divulge information to the wrong user).
- Give an example of an exploit stemming from an improperly defined security requirement.
A requirement that says “users must log in to access a page with links to their photos” says nothing about authenticating the actual service that fetches the photos, so an attacker might easily guess the URLs of anyone’s photos.
- What is the meaning of “defense in depth”?
Having a series of defenses so that if an attack isn't caught by one, it will probably be caught by the next one on the chain, and so on.
- What some examples of layered protections that would appear in depth defense?
Firewalls, anti-virus software, crypto, authentication mechanisms, authorization rules, signatures, correctness proofs.
- What is an example of the need to apply defenses broadly, as well as in depth?
An available attack can exploit flaws stemming from, say, insufficient network bandwidth, filling up hard drives, excessive memory paging or cache invalidations, hash collisions, deadlocks livelocks, bad database queries that don’t use indexes, or slow algorithms.
- What are the fancy terms for (1) trusted code in your security zone whose input you can trust, and (2) code from untrusted zones?
(1) Code-on-the-inside, (2) Code-on-the-edge.
- What is the concept of designing for least privilege?
Having the default situation being that any user or process is able to do the minimum possible to carry out its task, and no more.
- What do we define to help maintain integrity?
Preconditions, postconditions, and invariants.
- Why do we have to fail fast?
An unhandled failure can propagate an inconsistency in state leading to horrifying situations down the line.
- Auditing is important for security, especially for forensics and intrusion detection, but we have to be careful when logging. What are the two main concerns?
Never log secrets, and keep the logs themselves secure.
- Why should you not rely on secrets?
They can be accidentally or maliciously leaked, or divulged by a person who is under threat.
- Why should code be kept simple?
The more complex your code, the greater the attack surface, and the greater chance for the introduction of bugs and flaws.
- Why should you be somewhat coy when reporting errors to users?
The user may be an attacker looking for opportunities so being too-specific about error messages (e.g., distinguishing not found and found-but-you-don’t-have-access, or distinguishing bad-password from unknown-username-OR-password) may leak useful information to an attacker.
- What is the difference between security principles and tactics?
Principles are high level, like “defend in depth, ”fail fast,” “don’t rely on secrets”, and “prevent leaks”. Tactics are specific programming practices like “don’t double-free pointers” or “avoid global variables.”
- What are some organizations that publish guidelines and standards for secure software development?
CERT, OWASP.
- What are examples of types of exploits?
Injection, MitM, DOS, Malware, Phishing, Theft, Enumeration.
- Why should developers learn the various known vulnerabilities?
One needs to think like an attacker to know how best to defend.
- What is an injection attack?
Getting code that is authored by the attacker to run on the victim’s machine (without the permission of the victim).
- What is the CWE and about how many entries does it have?
Common Weakness Enumeration, a listing of around 1000 types of weakness.
- What is the CVE and about how many entries does it have?
Common Vulnerabilities and Exposures, a listing of over 100,000 specific vulnerabilities in actual systems.
- What does OWASP stand for?
Open Web Application Security Project.
- The famous “OWASP Top Ten” lists the top 10 what?
Security risks to web applications.
- Even though the famous OWASP Top 10 enumerates the top risks faced by web applications, OWASP also publishes a document for the Top 10 Proactive Controls. What are some of these proactive controls?
Define security requirements • leverage frameworks and libraries • secure your databases • encode/escape data • validate • implement digital identity • enforce access • protect data • log and monitor • handle all errors and exceptions.
- Should you read each of the OWASP Cheat Sheets?
Yes.
- What are the three best known security weaknesses on the web?
XSS, SQL Injection, and CSRF.
- How do you defend against stack buffer overflow attacks in your program?
Never use vulnerable functions like strcpy
and strcat
.
Do bounds checking.
Don’t put user-supplied data into buffers.
Stop using C and C++.
- How can the hardware, operating system, compiler, or runtime system help to avoid buffer overflow attacks?
Non-executable stack segments, stack canaries, ASLR, CFI.
- How do you defend against SQL Injection?
Use a query library, or prepared statements with bound parameters, NEVER compose raw SQL with string concatenation.
- How do you defend against XSS?
Input validation, performed server-side.
- How do you defend against CSRF?
CSRF Tokens, either kept on the server or through a “double submit cookie”.
- How do you defend against replays?
Nonces (number-used-only-once).
- How do you defend against brute-force password attacks?
Require all passwords to be very long
Use a slow hash function
Rate limit the authenciation endpoint
Enforce rotation
- How do you defend against birthday password attacks?
Ensure your hashing algorithm is very strong and all hashes are salted.
- How do you defend against enumeration attacks?
Avoid sequential ids.
- What are three ways to avoid data corruption via shared references?
Immutable objects, defensive copying, or prohibiting copying
- Why is immutability a main pillar of secure software development?
Immutable objects free us from worrying about data corruption via shared references, or forgetting to revalidate on update.
- How can favoring immutability allow for more efficient software?
Immutable objects can be shared, so they don’t incur the overhead of being copied. They don’t have to be locked to access them, so concurrent programming is faster and safer too.
- What is a persistent data structure?
A data structure that always preserves its “history”, used when we want immutability of structures that we want to give the appearance of changing.
- Validations should be done in order from cheapest to most expensive. List as many as you can
1. Origin, 2. Authentication, 3. Authorization, 4. State, 5. Size, 6. Lexical, 7. Syntactic, 8. Semantic.
- One secure coding rule is “The only good global variable is an immutable one.” Is this okay then, in Java?
public static final int[] primes = new int[]{2, 3, 5, 7, 11, 13};
No, you can update the elements of the array.
- How is complexity an enemy of security?
The more complex the software, the more error-prone it is, and the harder it is to reason about its correctness and its security. Every bit of added complexity is a new attack vector.
- Why should validations be done in the domain model?
Improved readability and understandability because behavior is localized and more cohesive.
Less prone to errors of omission.
If left outside, the same checks may be required in a number of service functions, which is not DRY.
- Why should programmers not write their own sanitization code?
There are often too many edge cases. Leave sanitization to well-tested libraries.
- What is the worst thing you can do with errors in software?
Ignore them, as this will likely lead to a corrupted state and loss of data integrity, which can just magnify over time to the point where you cannot recreate a proper state.
- What is the meaning of “fail fast”?
Reporting errors and taking action immediately (never continuing normal operation)
- What does it mean to “throw” an error?
The existing control flow is disrupted; control is transferred to a designated place where the error is “caught” and handled.
- Instead of throwing an error, we can return an error object from an operation. How can this be done safely?
As a typesafe discriminated union object, summing the error type with the type of the function’s successful return value.
- Why is it not a good idea to indicate errors through mutable arguments?
The caller might forget to check them.
- What condition in programming is often misunderstood by programmers to be an error that actually isn’t?
An optional value that isn’t present.
- What is one of the most common ways to reduce the cyclomatic complexity of software?
Replacing if-statements with a more declarative dispatch architecture.
- Which of authentication and authorization is concerned with users proving they are who they say they are?
Authentication.
- Which of authentication and authorization is concerned with managing permissions?
Authorization.
- Access control lists are examples of ________________?
Authorization.
- What does IAM stand for?
Identity and Access Management.
- What are the three major factors that can be used to authenticate a user?
Something you KNOW
Something you HAVE
Something you ARE.
- What attack is sufficient against short passwords?
Brute-Force Attack
- What attack is used to guess passwords that takes into account the fact that some passwords are more common than others?
Dictionary Attack
- Should user passwords ever be stored encrypted? Why or why not?
NO! Never store them encrypted. Encrypting something implies that you can decrypt it and you never need to know a user’s password. Hash it instead.
- Why must password hashing algorithms be slow?
To drastically reduce the number of password cracking attempts per second
- Why must you salt password hashes?
If you don’t salt, everyone with the same password gets the same hash, and attackers can make note of the frequency of hashes to assist in cracking, and compromise more users if a commonly-appearing hash is inverted.
- What is a common attack used against unsalted hashes that is more efficient than the brute-force or dictionary attack?
Rainbow Attack
- Why do many systems use a shadow password file?
The original /etc/passwrd
file on Unix systems contained the password hash and was world-readable; these days it does not, and the actual hash is now kept in a (shadow) location readable only by a superuser.
- Do most security experts recommend password managers these days?
Yes. The risk of losing the single password to the vault or password manager, while indeed catastrophic, can be made extremely low, while the odds of losing one or more of your 50 varying credentials that are kept who knows where will always be much higher.
-
-
-