• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/23

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

23 Cards in this Set

  • Front
  • Back

¿QUE ES CWE?

The MITRE corporation manages the Common Weakness Enumeration (CWE), a community-developed dictionary of software weaknesses.

http://cwe.mitre.org/index.html
P222


¿CUAL ES LA MISION DE LOGGING EN SOFTWARE SEGURO?

The
mission of logging in secure software is to make it as easy as possible for investigators to answer these questions:
■ What happened?
■ Who did it?
■ When did it happen?
■ How was our security circumvented?
■ What data was viewed or modified?
■ How can we prevent this from happening again?
P222


¿CUAL ES LA MEJOR PRACTICA DE LOGUEO CON RESPECTO A LA SESSION ID?

Do not log the user’s session ID because this could leak critical authentication data to insiders!
Instead, log a hash of the session ID so you can reference multiple log entries to the same session
without exposing the session ID itself
P223


¿QUE DEBE BITACOREARSE?

HINT: USERNAME, IP ADDRESS, TIE ALL LOG ENTRIES FROM A PARTICULAR SESSION TOGETHER
TRANSACTION ID OR ACTIVITY ID
P223


MENCIONE LA LISTA DE EVENTOS RELACIONADOS CON SEGURIDAD QUE DEBEN SER LOGUEADOS.

TIP
Consider prioritizing or highlighting log entries of actions conducted by highly privileged users, such
as admin or super user accounts.
■ Successful logins
■ Failed logins
■ Logouts
■ Password or security question changes
■ Profile changes, such as a change of email address
■ Password reset attempts
■ New user registration
■ User de-registration
■ Authorization failures
■ Changes to access levels, such as granting admin or superuser access
■ Operational activities, such as backups (for example, exporting my Twitter feed)
■ Any system administration activity
■ Significant input validation failures
■ Any other sensitive operation…
P224


¿QUE NO DEBE BITACOREARSE?

HINT: APP-SPECIFIC SENSITIVE DATA THAT COULD ASSIST AN ATTACKER, E.G. SESSINO ID, PERSONAL INFORMATION
P224


DADA UNA APLICACION CON MULTIPLES MECANISMOS DE SEGURIDAD, ¿QUE MECANISMO ES COMUNMENTE UN CASO DE FUGA DE SEGURIDAD?

HINT: FRAMEWORKS QUE INCLUYEN METODOS DE CONVENIENCIA PARA DESARROLLO QUE BITACOREA REQUESTS COMPLETOS, INCLUYENDO PASSWORDS, CREDIT CARD NUMBERS, SOCIAL SEC NUMBERS, ETC.
WWW.IEEELOG.COM
P225


MENCIONE EJEMPLOS DE FRAMEWORKS DE BITACOREO ENFOCADOS EN SEGURIDAD. INDIQUE EL PREFERIDO Y POR QUE

HINT: ESAPI, LOGBACK (MARKERS, MAPPED DIAGNOSTIC CONTEXT MDCs, SLF4J)
P226


¿QUE ES ESAPI PROJECT?

One of the earlier attempts at security-centric logging is the OWASP ESAPI project for Java. 5 ESAPI is a security library that includes specific and granular APIs for security-centric logging. Although this project is not necessarily production quality, it still provides a good example of the type of requirements that senior security professionals seek in logging software.
P226


¿CUAL ES EL OBJETIVO DE ESAPI PROJECT?

The goal of ESAPI logging is simple: Provide an API that allows developers to easily make a log entry that includes a timestamp from a reliable source, severity level of the event, an indication that this is a security-relevant event
(if mixed with other logs), the identity of the user that caused the event (if there is a user associated with the event), the source IP address of the request associated with the event, whether the event succeeded or failed, and a
description of the event.
P226


DESCRIBA EL PROYECTO LOGBACK, Y CUAL ES PREFERIDO VS ESAPI Y POR QUE.

P230


¿QUE INFORMACION SENSIBLE SE PUEDE MOSTRAR EN EL BROWSER EN CASO DE NO GESTIONAR CORRECTAMENTE LOS CASOS DE ERROR?

HINT: DEV LANGUAGE, LIBRARIES, EXACT VERSION OF SERVER, AND POSIBLE SQL INJECTION VULNERABILITY IN CASE ITS AN SQL ERROR
P231


DESCRIBA LA MEJOR PRACTICA PARA MANEJO DE ERRORES EN UNA APLICACION WEB.

HINT: USAR WEB.XML PARA MOSTRAR UNA PAGINA DEFAULT EN CASO DE EXCEPCIONES NO CAPTURADAS.
PROVEER UN NUMERO UNICO DE REFERENCIA (EJ. ID).
CUSTOM ERROR PAGES FOR HTTP ERROR CODES, TO PREVENT THE SERVER'S DEFAULT PAGES (WHICH OFTEN REVEAL SERVER VERSION NUMBERS)
P232


ELEMENTO DE WEB.XML PARA DEFINIR PAGINAS CUSTOM PARA EL MANEJO DE ERRORES NO CAPTURADOS.

HINT:
P232


MENCIONE EJEMPLOS DE HERRAMIENTAS PARA SQL INJECTION Y DETECCION DE VULNERABILIDADES.

SQLMAP
HAVIJ
ACUNETIX
P234


MENCIONE EJEMPLOS DE INTENTOS OBVIOS DE ATAQUE Y SUS ESTRATEGIAS DE DETECCION.

SIMPLE TECHNIQUES FOR XSS
SEARCHING FOR USER INPUT WITH COMMON XSS ATTACK PATTERNS
SQL INJECTION DETECTION EFFORTS
DETECT MALICIOUS TOOLS THEMSELVES THROUGH THEIR USER AGENT STRINGS AND CORRUPT HTTP HEADERS
P234


MENCIONE EJEMPLOS DE INTERCEPTING PROXY TOOLS

OWASP ZAP
BURP PROXY
PAROS PROXY
WEBSCARAB
TAMPER DATA
P235


DESCRIBA LA VULNERABILIDAD DE DETECCION DE INTRUSOS INPUT VIOLATION OF IMMUTABLE FORM COMPONENTS. ¿CON QUE HERRAMIENTA SE PUEDE LLEVA A CABO? ¿COMO SE DETECTA? ¿QUE MEDIDA SE RECOMIENDA COMO RESPUESTA?

HINT: RADIO BUTTONS

OWASP ZAP
BURP PROXY
PAROS PROXY
WEBSCARAB
TAMPER DATA

BLOQUEAR CUENTA DEL USUARIO
P234


MENCIONE TECNICAS VS ATAQUES AUTOMATIZADOS.

CSRF TOKENS
FORM POLYMORPHISM
HONEY TOKEN COMPONENT
P237


¿EN QUE CONSISTE LA TECNICA DE PROGRAMACION DE FORM POLYMORPHISM Y VS QUE SE UTILIZA? MENCIONE UN CASO DE EJEMPLO.

HINT: ATAQUES AUTOMATIZADOS. LOGIN FORM
P238


¿EN QUE CONSISTE LA TECNICA DE HONEY TOKEN FORM COMPONENT Y VS QUE SE UTILIZA? MENCIONE UN CASO DE EJEMPLO.

HINT: TEXT FIELD WITH CSS OFF-PAGE FOR AUTOMATED BOTS.

THEY SHOULD BE EMPTY AT SERVER SIDE
P238


¿QUE ES OWASP AppSensor?

The OWASP AppSensor project17 is an open-source framework for real-time attack detection and response. That means your application can actually detect intruders and protect itself! AppSensor performs a similar function to a network layer intrusion detection system, but operates at the application layer.
P239


¿CUALES SON LOS COMPONENTES DE OWASP AppSensor? ¿CUALES ESTAN EN LA APLICACION Y CUALES EN EL FRAMEWORK? DESCRIBIR COMPONENTES

DETECTION POINTS
ANALYSIS ENGINE (AND POLICY CONFIGURATION)
RESPONSE EXECUTION
P240