1.5 Application and Security Controls

Description

Differentiate application vulnerabilities and select appropriate security controls.
DJ Perrone
Flashcards by DJ Perrone, updated more than 1 year ago
DJ Perrone
Created by DJ Perrone about 7 years ago
18
1

Resource summary

Question Answer
What are 3 web application security design considerations? - Secure by design - Secure by default - Secure by deployment
What is an insecure direct object reference? When you can access a target object without having the proper access. - Each direct object reference should undergo an access check.
What is Cross Site Scripting (XSS)? When an attacker located a website vulnerability and injects malicious code into web app.
What is a CSRF? - Cross Site Request Forgery - Causes the end user to execute unwanted actions on a web app after authentication. - Attack exploits the trust of the browser
What is click jacking? When an attacker posts a transparent page over a legitimate site to steal credentials.
What is input validation? The process of checking input for things such as proper format and length.
What are the two types of privilege escalation? - Vertical - Horizontal
What is vertical privilege escalation? - When a lower-privilege user or app accesses functions or content reserved for higher-privilege users or apps.
What is horizontal privilege escalation? When a normal user accesses functions or content reserved for other normal users.
What is fuzz testing (fuzzing) Injecting invalid or unexpected input (faults) into an application to see how it reacts.
What is a race condition? When the attacks inserts themselves between instructions, introduces changes and alters the order of execution of the instruction.
What are two disposal methods? - Data purging - Data clearing
What is data purging? Using a method such a degaussing to make sure old data is unavailable, even with forensics.
What is data clearing? A type of disposal that renders information unrecoverable by keyboard.
What is an application security framework? An attempt to bring consistency to application security.
What 3 components are provided by an application security library? - Input validation - Secure logging - Encryption and decryption
What are 5 organizations that are generally industry accepted approaches to application security? - WASC - OWASP - BSI - ISO/IEC 27000 - WS-Security
What is WASC? Web Application Security Consortium - Provides best practices for web based apps. - Provides continual monitoring of attacks, leads to dev of top attack methods in use.
What is OWASP? Open Web Application Security Project - Monitors attacks. Maintains a list of top 10 attacks.
What is BSI? Build Security In - DHS promoting best security practices. - Provides security recommendations regarding architectures, testing methods and code review.
What is ISO/IEC 27000? Int. Organization for Standardization (ISO) and Int. Electrotechnical Commission - Provides guidance to organizations in integrating security into the dev and maintenance of software apps.
What is WS-Security Web Services Security - Uses a protocol called Simple Object Access Protocol (SOAP) for exchanging structured info. WS-Security (WSS) is an extension to SOAP to apply security to web services.
What are the 3 main mechanisms of WSS? - How to sign SOAP messages to ensure integrity. (Non-repudiation) - How to encrypt SOAP messages (confidentiality) - How to attach security tokens to ascertain senders identity.
What are some common models for software development? Card 1 of 2 - Build and Fix - Waterfall - V-shaped - Prototyping - Incremental - Spiral - Rapid application development (RAD)
What are some common models for software development? Card 2 of 2 - Agile - JAD - Cleanroom
In reference to software development, what is the build and fix model? - Popular in the past - Template for how to NOT develop - Problems are fixed as they are discovered
In reference to software development, what is the waterfall method? - Breaks software dev up into phases - Incremental development - Idea > Analysis > Design > Development > Test > Final Product - Rigid approach
In reference to software development, what is the V-Shaped model? - Differs from waterfall, verification and validation performed at each step. - Higher success due to test at every stage. - Works with small scope changes and understood requirements.
In reference to software development, what is the prototyping model? - Use of a sample code to explore different approaches. - Can provide cost and time savings.
In reference to software development, what is the incremental model? - Refined waterfall model - Dev should be in increments of functional capacity. - Series of waterfalls where previous capability is put in at the following implementation level.
In reference to software development, what is the spiral model? - Meta model including multiple dev models - Places emphasis on risk analysis at each stage. -
In reference to software development, what is the Rapid Application Development (RAD) model? - Less time spent upfront. - More emphasis on rapid production of prototypes. - Trial and error
In reference to software development, what is the agile model? - More emphasis on continual feedback and cross-functional teamwork - Incorporates lessons learned in real time - Less rigid
In reference to software development, what is the Joint Analysis (or Application) Development (JAD) model? - Team approach - Team agrees on requirements and resolves differences.
In reference to software development, what is the clean room model? - Strictly adheres to formal steps and structured approach - Prevents errors through extensive testing. - Works well in high quality, mission critical situations.
What is DAM? Database Activity Monitoring - Monitors transactions of database services. - Can be used for monitoring unauthorized access for compliance auditing.
What is a WAF? Web Application Firewalls - Applies rule sets to an HTTP conversation - Will protect against SQL injection, DOM-based XSS and HTTP exhaustion.
What is REST? - Representational State Transfer (REST) - Client/server model for interacting with content on remote systems.
What are two popular RESTful web services? - JavaScript Object Notation (JSON) - XML
What are advantages to using REST/JSON over SOAP/XML? - Size: JSON is less bloated - Efficiency: Easier to parse and extract data - Caching: Improved response times due to caching. - Implementation: Easier to design and implement.
What is a browser extension? A small program or script to increase website functionality.
What is ActiveX? - Server site MS tech. - Uses Object-Oriented Programming (OOP) - Based on COM and DCOM. - Significant flaws
What is a Java applet? Small, server side component running in a web browser.
What is AJAX? Asynchronous JavaScript and XML - Group of interrelated web dev techniques used on the client side to create asynchronous web applications.
What is SOAP? Simple Object Access Protocol - Exchanges structured information in the implementation of web services in computer networks.
What is defined in the SOAP messaging framework? - Processing model: Defines rules - Extensibility Model: Defines concept of features and modules - Binding framework: rules for defining a binding - Message: the structure of a SOAP message.
Show full summary Hide full summary

Similar

Contraception
Matthew Coulson
Web Application Attacks
neteng33
Controladores Hardware De Un Computador
Mad Horse
Jerarquía De Memoria
Mad Horse
Instrucciones Y Programas
Mad Horse
Técnicas De E/S
Mad Horse
The Tangled Web
Ron Kuper
Macbeth Quiz
PatrickNoonan
B3- Science. Cells, Genes and Enzymes.
MissChurro
GCSE AQA Biology 1 Nerves & Hormones
Lilac Potato