11041009
Description
Flashcards by DJ Perrone, updated more than 1 year ago
|
|
Created by DJ Perrone
about 7 years ago
|
|
| Question | Answer |
| What are 3 web application security design considerations? | - Secure by design - Secure by default - Secure by deployment |
| What is an insecure direct object reference? | When you can access a target object without having the proper access. - Each direct object reference should undergo an access check. |
| What is Cross Site Scripting (XSS)? | When an attacker located a website vulnerability and injects malicious code into web app. |
| What is a CSRF? | - Cross Site Request Forgery - Causes the end user to execute unwanted actions on a web app after authentication. - Attack exploits the trust of the browser |
| What is click jacking? | When an attacker posts a transparent page over a legitimate site to steal credentials. |
| What is input validation? | The process of checking input for things such as proper format and length. |
| What are the two types of privilege escalation? | - Vertical - Horizontal |
| What is vertical privilege escalation? | - When a lower-privilege user or app accesses functions or content reserved for higher-privilege users or apps. |
| What is horizontal privilege escalation? | When a normal user accesses functions or content reserved for other normal users. |
| What is fuzz testing (fuzzing) | Injecting invalid or unexpected input (faults) into an application to see how it reacts. |
| What is a race condition? | When the attacks inserts themselves between instructions, introduces changes and alters the order of execution of the instruction. |
| What are two disposal methods? | - Data purging - Data clearing |
| What is data purging? | Using a method such a degaussing to make sure old data is unavailable, even with forensics. |
| What is data clearing? | A type of disposal that renders information unrecoverable by keyboard. |
| What is an application security framework? | An attempt to bring consistency to application security. |
| What 3 components are provided by an application security library? | - Input validation - Secure logging - Encryption and decryption |
| What are 5 organizations that are generally industry accepted approaches to application security? | - WASC - OWASP - BSI - ISO/IEC 27000 - WS-Security |
| What is WASC? | Web Application Security Consortium - Provides best practices for web based apps. - Provides continual monitoring of attacks, leads to dev of top attack methods in use. |
| What is OWASP? | Open Web Application Security Project - Monitors attacks. Maintains a list of top 10 attacks. |
| What is BSI? | Build Security In - DHS promoting best security practices. - Provides security recommendations regarding architectures, testing methods and code review. |
| What is ISO/IEC 27000? | Int. Organization for Standardization (ISO) and Int. Electrotechnical Commission - Provides guidance to organizations in integrating security into the dev and maintenance of software apps. |
| What is WS-Security | Web Services Security - Uses a protocol called Simple Object Access Protocol (SOAP) for exchanging structured info. WS-Security (WSS) is an extension to SOAP to apply security to web services. |
| What are the 3 main mechanisms of WSS? | - How to sign SOAP messages to ensure integrity. (Non-repudiation) - How to encrypt SOAP messages (confidentiality) - How to attach security tokens to ascertain senders identity. |
| What are some common models for software development? Card 1 of 2 | - Build and Fix - Waterfall - V-shaped - Prototyping - Incremental - Spiral - Rapid application development (RAD) |
| What are some common models for software development? Card 2 of 2 | - Agile - JAD - Cleanroom |
| In reference to software development, what is the build and fix model? | - Popular in the past - Template for how to NOT develop - Problems are fixed as they are discovered |
| In reference to software development, what is the waterfall method? | - Breaks software dev up into phases - Incremental development - Idea > Analysis > Design > Development > Test > Final Product - Rigid approach |
| In reference to software development, what is the V-Shaped model? | - Differs from waterfall, verification and validation performed at each step. - Higher success due to test at every stage. - Works with small scope changes and understood requirements. |
| In reference to software development, what is the prototyping model? | - Use of a sample code to explore different approaches. - Can provide cost and time savings. |
| In reference to software development, what is the incremental model? | - Refined waterfall model - Dev should be in increments of functional capacity. - Series of waterfalls where previous capability is put in at the following implementation level. |
| In reference to software development, what is the spiral model? | - Meta model including multiple dev models - Places emphasis on risk analysis at each stage. - |
| In reference to software development, what is the Rapid Application Development (RAD) model? | - Less time spent upfront. - More emphasis on rapid production of prototypes. - Trial and error |
| In reference to software development, what is the agile model? | - More emphasis on continual feedback and cross-functional teamwork - Incorporates lessons learned in real time - Less rigid |
| In reference to software development, what is the Joint Analysis (or Application) Development (JAD) model? | - Team approach - Team agrees on requirements and resolves differences. |
| In reference to software development, what is the clean room model? | - Strictly adheres to formal steps and structured approach - Prevents errors through extensive testing. - Works well in high quality, mission critical situations. |
| What is DAM? | Database Activity Monitoring - Monitors transactions of database services. - Can be used for monitoring unauthorized access for compliance auditing. |
| What is a WAF? | Web Application Firewalls - Applies rule sets to an HTTP conversation - Will protect against SQL injection, DOM-based XSS and HTTP exhaustion. |
| What is REST? | - Representational State Transfer (REST) - Client/server model for interacting with content on remote systems. |
| What are two popular RESTful web services? | - JavaScript Object Notation (JSON) - XML |
| What are advantages to using REST/JSON over SOAP/XML? | - Size: JSON is less bloated - Efficiency: Easier to parse and extract data - Caching: Improved response times due to caching. - Implementation: Easier to design and implement. |
| What is a browser extension? | A small program or script to increase website functionality. |
| What is ActiveX? | - Server site MS tech. - Uses Object-Oriented Programming (OOP) - Based on COM and DCOM. - Significant flaws |
| What is a Java applet? | Small, server side component running in a web browser. |
| What is AJAX? | Asynchronous JavaScript and XML - Group of interrelated web dev techniques used on the client side to create asynchronous web applications. |
| What is SOAP? | Simple Object Access Protocol - Exchanges structured information in the implementation of web services in computer networks. |
| What is defined in the SOAP messaging framework? | - Processing model: Defines rules - Extensibility Model: Defines concept of features and modules - Binding framework: rules for defining a binding - Message: the structure of a SOAP message. |
Want to create your own Flashcards for free with GoConqr? Learn more.