Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
85 Cards in this Set
- Front
- Back
What is the first objective of designing in security to the SDLC and what is the second objective? |
First- minimize vulnerabilities Second- develop layered defenses for the vulnerabilities that remain |
|
What is the code within a system that can be accessed by unauthorized parties? |
Attack surface |
|
What is a means of measuring and determining the risks associated with the implementation of design and development? |
Attack surface evaluation |
|
When considering the attack surface of a product, what are these? Open sockets, services, active web handlers, dynamic web pages, null sessions, weak ACLs |
Ways it can be 'accessed' |
|
What is a representation of the potential vulnerability associated with software? |
Attack surface |
|
When should you calculate the attack surface? |
Throughout the development process |
|
When should attack surface minimization be considered? |
During design |
|
What are the 5 steps of the threat model development? |
1. Define security objectives for the system 2. System decomposition 3. Threat identification 4. Mitigation analysis 5. Validation of threat model |
|
What are these used for? UML (unified modeling language), use cases, misuse cases, DFD (data flow diagrams) |
System decomposition |
|
For the purposes of threat modeling, with the target being manipulation of information, which modeling system is best choice for documenting threats? |
DFD (data flow diagram) |
|
Users and Other systems are what type of DFD element in threat modeling? |
External entities |
|
Files, DBs, registries, and shared memory are what type of DFD element in threat modeling? |
Data stores |
|
Users, file systems and process boundaries are what type of DFD element in threat modeling? |
Trust boundaries |
|
Function calls, network traffic and remote procedure calls are what type of DFD element in threat modeling? |
Data flows |
|
What is it where items share the same privileges, access and identifiers and represent points where an attacker can interject into the system? |
Trust boundary |
|
What security control/property addresses spoofing? |
Authentication |
|
What security control/property addresses tampering? |
Integrity |
|
What security control/property addresses repudiation? |
Non-repudiation |
|
What security control/property addresses information disclosure? |
Confidentiality |
|
What security control/property addresses denial of service? |
Availability |
|
What security control/property addresses elevation of privilege? |
Authorization |
|
What are the 4 types of threat mitigation? |
1. Redesign to eliminate the vulnerability 2. Applywa standard mitigation 3. Invent a new mitigation 4. Accept the vulnerability |
|
What is a graphical representation of an attack? |
Attack tree |
|
What is at the beginning of an attack tree (root node)? |
Attack objective |
|
Reproducibility + exploitability + discoverability = ? |
Probability |
|
Damage potential + affected users = ? |
Impact |
|
When should threat model validation occur? |
At gates situated throughout the SDL |
|
What are the primary mechanisms that enterprises use to manage security? |
Security controls |
|
An increasing value for the attack surface during development indicates what? |
An increase in resources you can address |
|
Is it possible to identify all threats to a system? |
No |
|
True or False. The primary purpose of security reviews is to assess the effectiveness of the SDL? |
True, with that effectiveness having the desired security effects. The security review does not directly assess the quality of security actions and mitigations. |
|
Hashing helps with what part of CIA? |
Integrity |
|
Encryption helps with what part of CIA? |
Confidentiality |
|
Recovery mechanisms help with what part of CIA? |
Availability |
|
What 3 elements work together to manage interconnectivity for an application? |
Session mgmt, Exception mgmt, Configuration mgmt |
|
True or False. Out of band management interfaces are less prone to interference from DoS attacks against an app, reducing operational risk. |
True |
|
Economy of mechanism means to limit complexity to make security manageable or... |
to keep things simple |
|
In the n-tier architecture model, what does the n stand for? |
The number levels of applications doing the work |
|
What type of architecture has both parties (systems) sharing the work (equal levels of processing)? |
Peer-to-peer |
|
What technology manages throughput and guarantees communication delivery? |
Message queuing |
|
What distributed architecture has these characteristics? Platform neutrality, interoperability, discoverability, modularity and reusability, contract-based interfaces |
SOA (service oriented architecture) |
|
What are machine-readable interfaces for communicating between elements over the internet? |
Web services |
|
What is the XML format of the machine-readable description of the web service interface? |
WSDL (web service description language) |
|
What describes functionality offered by a web service including how the service can be called, what parameters it expects, and what data structures it returns? |
WSDL (web service description language) |
|
What is a form of architecture that uses the Web as a transfer mechanism and the client as a processing device? |
Rich internet applications |
|
What has the objective to create an application with the characteristics of a desktop application, but is delivered across the Internet (Facebook is an example)? |
RIA (rich internet applications) |
|
When it comes to client-side exploits and peer-to-peer operations, what is one universal truth? |
Never trust input without validation |
|
True or False. Developers do not need to worry too much about their app sending data across a network because the network takes care of the security. |
False |
|
What is a low speed protocol for radio frequency communication over very short distances - no more than a couple inches, used in mobile devices and payment systems? |
Near-field communication |
|
What are these characteristics describing? On-demand self-service, broad network access, resource pooling, rapid elasticity, measured service |
Cloud computing |
|
Which cloud platform can a customer deploy and operate arbitrary sw without worrying about the specifics of the environment? |
IaaS |
|
Platform neutral, interoperability and modular with contract-based interfaces describes what? |
SOA (service oriented architecture) |
|
What does URL stand for? |
Uniform resource locator |
|
What is an industrial strength password synchronization system? |
SSO (single sign on) |
|
True or False. Only system administrators should be able to see passwords. |
False. Passwords are secrets and should never be accessible by anyone, including system administrators |
|
What allows secrets to remain secret and still be used? |
Cryptography |
|
What are the 2 main parties in a authentication system? |
RP (relying party) & IdP (identity provider) |
|
Fill in the blanks. The user wishes access to a ________ and has credentials established on an ________. |
The user wishes access to a relying party and has credentials established on an identity provider. |
|
Between OpenID and OAuth, which is for authentication and which is for authorization? |
OpenID is for authentication & OAuth is for authorization |
|
What is the standard for managing digital certificates? |
X.509 |
|
What are the 2 most popular SSO methods? |
Kerberos and SAML (security assertion markup language) |
|
What is similar to a firewall in that it mediates traffic flows, but acts more like a middleman where traffic from untrusted sources stops and is validated against rules before it is allowed to continue? |
Proxie |
|
True or False. PCI DSS required either a web application firewall between the server and users OR application code reviews are performed. |
True |
|
What is the de facto standard for logging in a Linux/Unix environment? |
Syslog |
|
What exists as a last line of defense for protecting data? |
DLP |
|
What are the 3 entities in DRM (digital rights management)? |
Users, content, rights |
|
What is the machine-readable form that is XML based and defines the license, permissions and restrictions of DRM? |
REL (rights expression language) |
|
What is the HW, firmware and SW components of a system that are critical to security? |
TCB (Trusted Computing Base) |
|
What is a HW implementation of a set of cryptographic functions on a motherboard? |
TPM (Trusted Platform Module) |
|
What is the application of a digital signature to computer code? |
Code signing |
|
What is used to I decided and join tables in a DB? |
Primary keys. (Primary keys cannot be encrypted therefore you should not use PII or PHI information as keys in a DB) |
|
What can you employ when you have data with different sensitivity levels in the same db? |
Data segregation |
|
What can you use to automate anything in a db? |
Triggers (e.g. change to a record can trigger a script) |
|
What are programmatically designed extracts of data in a series of tables? |
Views |
|
True or False. DBs have their own internal access control mechanism similar to ACL-based controls for file systems. |
True |
|
What 2 processes convert source code into processor code instantiating it on the target computer? |
Compilers and interpreters |
|
What are the 2 subprocesses involved in compiled languages? |
Compiling and linking |
|
What 2 forms does linking of compiled code come in? |
Static and dynamic |
|
What are 2 popular hybrid languages that leverage both compiled and interpreted languages? |
Java and MSFT .Net |
|
What is the intermediate system called in Java? |
JVM (java virtual machine) |
|
What is the intermediate system for .Net? |
CLR (common language runtime) |
|
What are dedicated systems where the HW and SW are coupled for a specific purpose? |
Embedded systems |
|
What are specialized computer systems used for automated control of equipment? |
Control systems |
|
What is SW code held on the device? (Aka wired in SW) |
Firmware |
|
What is the process of combining functions, libraries, and dependencies into a single operational unit? |
Linking |