Fundamentals of Software System Security and Common Software Weaknesses

Questions and Answers

What does the CIA triad refer to in the context of security?

• Confidentiality, Integrity, Accessibility (correct)
• Confidentiality, Authenticity, Integrity
• Confidentiality, Authorization, Integrity
• Confidentiality, Availability, Interoperability

Why is it important for computing systems to have integrity?

• To maintain the confidentiality of specific information
• To protect against purposeful attempts to interfere with their functions
• To ensure that the information is always accessible
• To rely on the accuracy and trustworthiness of the systems and the information they store (correct)

What does the term 'non-repudiation' refer to in the context of security?

• Ensuring that a party cannot deny the authenticity of a message or action (correct)
• Ensuring that information is always accessible
• Ensuring that systems can withstand natural disasters and accidents
• Ensuring that specific information remains confidential

What aspects must a modern security practitioner comprehend in a rapidly changing technological world?

Principles of architecture, design, management, interoperability, and evolution (A)

What is the foundation of every organization’s security architecture according to the text?

(Confidentiality, Integrity, Accessibility) (C)

Why is obtaining and sustaining security described as a multifaceted, interdisciplinary problem?

Because it involves evaluation of software and hardware components as well as human processes and physical restrictions in the actual world (B)

What are threat actors responsible for in the context of cybersecurity?

Executing cyberthreats (A)

What is the impact in the context of cybersecurity?

The level of damage from unauthorized information disclosure or modification (B)

What refers to the probability of a cybersecurity threat occurring multiplied by its impact?

Risks (B)

What does attack surface refer to in the context of cybersecurity?

The points or vectors through which an unauthorized user can extract data (C)

What do attack trees depict in the context of system attacks?

The objectives attackers intend to achieve (B)

What does compliance refer to in the context of cybersecurity?

Ensuring specified norms and rules are met (A)

Which of the following is NOT one of the principles in the CIA information security triad?

Authenticity (D)

What does confidentiality mean in the context of information security?

Ensuring that information remains private and is accessed only by authorized individuals (C)

Which of the following is considered an example of a threat in cybersecurity?

Denial of service (DoS) attacks (A)

What is the primary safeguard for the secrecy of information systems in the context of confidentiality?

Cryptography (A)

What does integrity relate to in the framework of information security?

Dependability, completeness, and accuracy of information (B)

What is the significance of availability in the CIA information security triad?

It is just as central to information security as confidentiality and integrity (C)

What does regulatory compliance involve?

Classifying data based on importance and sensitivity (C)

What is the primary purpose of risk assessment in the context of regulatory compliance?

To identify risks, evaluate their likelihood and possible effects (D)

What do cyber security standards facilitate?

Establishment of common security requirements and capabilities (C)

What does the Federal Risk and Authorization Management Program (FedRAMP) provide?

A standardized method for security assessment and authorization (D)

What is the primary purpose of rule-based regulations?

To emphasize hazards and specify precise controls and processes (D)

What is the role of regulators when drafting prescriptive regulations?

To provide a detailed list of what must or can be done (D)

What is a characteristic of outcome-based regulations?

They allow firms to take any approach as long as it's sufficient, effective, and reasonable (A)

Which industry is governed by the Health Insurance Portability and Accountability Act (HIPPA)?

Healthcare (B)

What is the primary focus of the Sarbanes–Oxley Act in the financial sector?

Defining security procedures for safeguarding stored records (C)

What aspect of compliance does the Payment Card Industry Data Security Standards (PCI-DSS) address?

Handling of payment card data (B)

What is the goal of the Health Insurance Portability and Accountability Act (HIPPA) in relation to personal health information (PHI)?

To ensure the consistent security of PHI as per its value (D)

Which industry must comply with the ISO/IEC 27001:2013 standard?

Manufacturing (A)

What is the primary responsibility of the North American Electric Reliability Council (NERC) in the energy industry?

Managing compliance standards of utility companies (D)

Which standard is significant in governing retail security and the handling of payment card transactions?

Payment Card Industry Data Security Standards (PCI-DSS) (D)

What is the primary focus of Defense in Depth (DiD) security approach?

Safeguarding against DDoS attacks and data breaches (A)

What is the significance of redundancy in a layered security strategy like Defense in Depth (DiD)?

It restricts and mitigates damage if one layer is breached (D)

Which category of security controls protects IT systems and other physical assets from risks such as tampering and unlawful access?

Physical security controls (B)

In what context is the term 'DiD' originally derived from?

Military strategy (D)

What is an essential premise of a Defense in Depth (DiD) strategy?

Detection and prevention of attacks without multiple products (A)

What does ISO/IEC 27001:2013 primarily focus on?

'Rigorous process' for meeting all requirements in compliance (A)

Which industry must comply with PCI-DSS rules governing retail security?

'Retail' industry (C)

What does layered security in Defense in Depth (DiD) aim to prevent?

Attackers from gaining access to a protected network (A)

What does multi-factor authentication (MFA) require to confirm the identity of a person or device?

Biometric identification and identity verification using external tools (A)

What does zero trust security strategy integrate?

Various security notions mentioned above (B)

What is the primary goal of layered security in the Defense in Depth (DiD) approach?

Safeguarding an organization from a broad range of physical and cyber threats (D)

What is an essential characteristic of an integrated security strategy?

Guaranteeing that multiple security products collaborate effectively (A)

What is a common misconception about security, as described in the text?

Security is always absolute and not context-dependent (C)

What does behavior analysis in security help detect?

Abnormal traffic patterns and unauthorized access (B)

What is the primary difference between a bug and a flaw in the context of security?

In the context of security, a bug refers to a low-level implementation error, while a flaw refers to a design error. (A)

Why is it generally considered more expensive and complex to fix a flaw compared to fixing a bug in software?

Flaws typically require significant restructuring of both problematic code and dependent code (D)

In the context of software security, what could be the consequence of failing to sanitize user-supplied input used in a database call, resulting in SQL injection?

Disclosure of secrets (A)

What is the significance of developing safe software from the beginning in the context of application security?

Eliminates the need to add extra security components later on (A)

What do taxonomies achieve in the context of software security?

Divide a body of information and establish links between things (A)

Why might vulnerabilities remain unfixed in certain circumstances, leaving the system vulnerable to security issues?

Vulnerabilities cannot be fixed, leading to system insecurity (C)

What is the primary function of physical security controls in a Defense in Depth (DiD) approach?

To protect IT systems and physical assets from tampering and unlawful access (B)

What is the main purpose of administrative security controls in the context of Defense in Depth (DiD)?

To govern access to internal systems and sensitive data (B)

What is the primary role of technical security controls in a Defense in Depth (DiD) strategy?

To avoid network and application-based vulnerabilities (C)

What is the potential consequence of a single point of failure in a security solution?

A compromised network or system leading to hacking or harm (B)

What do existing DiD methods encompass based on the provided information?

Physical, technical, and administrative security controls only (A)

What is the primary focus of technical security controls as part of a Defense in Depth (DiD) approach?

Avoiding data breaches and DDoS attacks (D)

What is a recommended solution to prevent injection vulnerabilities?

Use server-side input validation that is affirmative (B)

What does secure design aim to achieve in software development?

Regularly evaluate risks and ensure that code is securely constructed (B)

What is a characteristic of Insecure Design according to the text?

Absence of business risk profiling intrinsic to the software (A)

What is the primary purpose of the OWASP Software Assurance Maturity Model (SAMM)?

Prevent known attack techniques (C)

What is an essential element of a safe development lifecycle according to the text?

Regularly evaluate risks and ensure that code is securely constructed (C)

What is the significance of threat modeling in secure software development?

To validate assumptions and enforce requirements for appropriate conduct (D)

What is the essential purpose of OWASP's top 10 list?

To categorize and highlight the most critical vulnerabilities in web applications (C)

What is the best solution to minimize access control vulnerabilities?

Reinforce business limit constraints specific to each application (D)

Why is it important to identify sensitive data according to privacy laws and business requirements?

To ensure compliance with data protection regulations (B)

What is the key recommendation for encrypting in-transit data to prevent cryptographic failures?

Utilize standard algorithms, protocols, and keys (B)

How can access control failures be minimized?

Access control failures should be logged (A)

Why is it crucial to disable directory listings on the webserver?

To prevent unauthorized access and exposure of files (B)

What is the primary purpose of the MITRE ATT&CK framework?

To identify and classify security threats and tactics (C)

What is the role of MITRE in relation to security?

Running federally financed research and development centers (A)

Why does an application become vulnerable if frequent vulnerability scans are not performed?

Due to unknown versions of components (D)

What is the purpose of a segmented application architecture?

To effectively separate components or tenants securely (B)

What is the significance of a repeatable hardening procedure?

It ensures identical configurations for all environments (A)

How does the MITRE ATT&CK framework focus on detections?

By explaining how detections happen without vendor-specific focus (A)

Why is it important to limit resource usage by user or service?

To ensure efficient and secure operation of the system (D)

What is the significance of conducting vulnerability scans for an application?

It identifies unknown versions of components and hierarchical dependencies (B)

Why is it crucial to implement a segmented application architecture?

To effectively and securely separate components or tenants (B)

Which database aids developers in the discovery of threats to open-source projects on the GitHub platform?

GitHub Advisory Database (D)

What is the primary purpose of CodeQL?

To automate security checks and variant analysis (C)

What do security engineers use a variant analysis for?

Identifying potential vulnerabilities across multiple codebases (B)

What is the primary focus of secure application development training?

Teaching developers how to write safer code (D)

What is a data breach defined as?

Taking information from a system without the owner's knowledge or consent (B)

Why is it ineffective to hand over software to security engineers for testing and fixing vulnerabilities?

Developers understand the software more than anyone else (B)

What does OWASP define as an application security vulnerability?

An implementation bug that allows an attacker to harm a stakeholder (C)

What is an essential phase in reducing the risk associated with software vulnerabilities?

-yearly secure development training (A)

What is the significance of annual training for software developers?

-refresh their skills and inform them of the most current threats (D)

What is the primary goal of the 2021 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses (CWE Top 25)?

To illustrate the most dangerous software weaknesses encountered in the past two years (A)

What is the main objective of the Common Weakness Enumeration (CWE)?

To prevent vulnerabilities at the source through training (B)

Why are the 2021 Common Weakness Enumeration (CWE) Top 25 vulnerabilities considered dangerous?

They allow adversaries to seize total control of a system or steal information (D)

Who does the Common Weakness Enumeration (CWE) primarily aim to train in order to prevent vulnerabilities?

Software and hardware architects, designers, programmers, and acquirers (A)

What is the significance of the CWE List and classification taxonomy?

To act as a vocabulary for identifying and describing various CWE-based problems (D)

What is the primary focus of the MITRE ATT&CK framework?

To provide a knowledge base for understanding adversary behavior (C)

What does the Health Insurance Portability and Accountability Act (HIPPA) primarily aim to achieve in relation to personal health information (PHI)?

To ensure the confidentiality and integrity of PHI (A)

What is the essential purpose of OWASP's Software Assurance Maturity Model (SAMM)?

To provide a framework for building security into software development processes (B)

What is an important aspect that project managers, developers, testers, users, security researchers, and educators should understand by referring to the 2021 Common Weakness Enumeration (CWE) Top 25?

The most severe and current security vulnerabilities (A)

What is a crucial aspect that Defense in Depth (DiD) strategy addresses?

Ensuring that multiple layers of security are in place (C)

What does vulnerability scanning for an application help in achieving?

Detecting and addressing potential security weaknesses (B)

Why is it important to identify sensitive data according to privacy laws and business requirements?

To ensure regulatory compliance only (D)

Study Notes

• Computing systems play a significant role in our daily lives, requiring assurance of their accessibility, integrity, and confidentiality.
• The CIA triad (Confidentiality, Integrity, Availability) forms the foundation of every organization's security architecture.
• Confidentiality ensures that private information remains confidential and is accessible only to authorized individuals.
• Integrity guarantees the accuracy, completeness, and dependability of information, as well as the prevention of unauthorized changes.
• Availability ensures that information is accessible to authorized users.
• Non-Repudiation is a property of cryptographic digital signatures that demonstrates the authenticity of a digital transaction.
• Threats in cybersecurity are occurrences or events that have the potential to cause harm to a system or organization.
• Threat actors are entities, such as individuals or groups, that execute cyber threats.
• Vulnerabilities are systemic weaknesses that make the consequences of threats more dangerous.
• Impact refers to the level of damage that can be anticipated from a breach of confidentiality, integrity, or availability.
• Risks are situations that must be prevented, taking into account both the probability of occurrence and the severity of the impact.

Description

Test your knowledge of cybersecurity fundamentals such as the CIA triad, confidentiality, integrity, availability, non-repudiation, threats, threat actors, vulnerabilities, impact, and risks.