Fundamentals of Software System Security and Common Software Weaknesses

Questions and Answers

What does the CIA triad refer to in the context of security?

Confidentiality, Integrity, Accessibility (correct)

Confidentiality, Authenticity, Integrity

Confidentiality, Authorization, Integrity

Confidentiality, Availability, Interoperability

Why is it important for computing systems to have integrity?

To maintain the confidentiality of specific information

To protect against purposeful attempts to interfere with their functions

To ensure that the information is always accessible

To rely on the accuracy and trustworthiness of the systems and the information they store (correct)

What does the term 'non-repudiation' refer to in the context of security?

Ensuring that a party cannot deny the authenticity of a message or action (correct)

Ensuring that information is always accessible

Ensuring that systems can withstand natural disasters and accidents

Ensuring that specific information remains confidential

What aspects must a modern security practitioner comprehend in a rapidly changing technological world?

Principles of architecture, design, management, interoperability, and evolution

What is the foundation of every organization’s security architecture according to the text?

(Confidentiality, Integrity, Accessibility)

Why is obtaining and sustaining security described as a multifaceted, interdisciplinary problem?

Because it involves evaluation of software and hardware components as well as human processes and physical restrictions in the actual world

What are threat actors responsible for in the context of cybersecurity?

Executing cyberthreats

What is the impact in the context of cybersecurity?

The level of damage from unauthorized information disclosure or modification

What refers to the probability of a cybersecurity threat occurring multiplied by its impact?

Risks

What does attack surface refer to in the context of cybersecurity?

The points or vectors through which an unauthorized user can extract data

What do attack trees depict in the context of system attacks?

The objectives attackers intend to achieve

What does compliance refer to in the context of cybersecurity?

Ensuring specified norms and rules are met

Which of the following is NOT one of the principles in the CIA information security triad?

Authenticity

What does confidentiality mean in the context of information security?

Ensuring that information remains private and is accessed only by authorized individuals

Which of the following is considered an example of a threat in cybersecurity?

Denial of service (DoS) attacks

What is the primary safeguard for the secrecy of information systems in the context of confidentiality?

Cryptography

What does integrity relate to in the framework of information security?

Dependability, completeness, and accuracy of information

What is the significance of availability in the CIA information security triad?

It is just as central to information security as confidentiality and integrity

What does regulatory compliance involve?

Classifying data based on importance and sensitivity

What is the primary purpose of risk assessment in the context of regulatory compliance?

To identify risks, evaluate their likelihood and possible effects

What do cyber security standards facilitate?

Establishment of common security requirements and capabilities

What does the Federal Risk and Authorization Management Program (FedRAMP) provide?

A standardized method for security assessment and authorization

What is the primary purpose of rule-based regulations?

To emphasize hazards and specify precise controls and processes

What is the role of regulators when drafting prescriptive regulations?

To provide a detailed list of what must or can be done

What is a characteristic of outcome-based regulations?

They allow firms to take any approach as long as it's sufficient, effective, and reasonable

Which industry is governed by the Health Insurance Portability and Accountability Act (HIPPA)?

Healthcare

What is the primary focus of the Sarbanes–Oxley Act in the financial sector?

Defining security procedures for safeguarding stored records

What aspect of compliance does the Payment Card Industry Data Security Standards (PCI-DSS) address?

Handling of payment card data

What is the goal of the Health Insurance Portability and Accountability Act (HIPPA) in relation to personal health information (PHI)?

To ensure the consistent security of PHI as per its value

Which industry must comply with the ISO/IEC 27001:2013 standard?

Manufacturing

What is the primary responsibility of the North American Electric Reliability Council (NERC) in the energy industry?

Managing compliance standards of utility companies

Which standard is significant in governing retail security and the handling of payment card transactions?

Payment Card Industry Data Security Standards (PCI-DSS)

What is the primary focus of Defense in Depth (DiD) security approach?

Safeguarding against DDoS attacks and data breaches

What is the significance of redundancy in a layered security strategy like Defense in Depth (DiD)?

It restricts and mitigates damage if one layer is breached

Which category of security controls protects IT systems and other physical assets from risks such as tampering and unlawful access?

Physical security controls

In what context is the term 'DiD' originally derived from?

Military strategy

What is an essential premise of a Defense in Depth (DiD) strategy?

Detection and prevention of attacks without multiple products

What does ISO/IEC 27001:2013 primarily focus on?

'Rigorous process' for meeting all requirements in compliance

Which industry must comply with PCI-DSS rules governing retail security?

'Retail' industry

What does layered security in Defense in Depth (DiD) aim to prevent?

Attackers from gaining access to a protected network

What does multi-factor authentication (MFA) require to confirm the identity of a person or device?

Biometric identification and identity verification using external tools

What does zero trust security strategy integrate?

Various security notions mentioned above

What is the primary goal of layered security in the Defense in Depth (DiD) approach?

Safeguarding an organization from a broad range of physical and cyber threats

What is an essential characteristic of an integrated security strategy?

Guaranteeing that multiple security products collaborate effectively

What is a common misconception about security, as described in the text?

Security is always absolute and not context-dependent

What does behavior analysis in security help detect?

Abnormal traffic patterns and unauthorized access

What is the primary difference between a bug and a flaw in the context of security?

In the context of security, a bug refers to a low-level implementation error, while a flaw refers to a design error.

Why is it generally considered more expensive and complex to fix a flaw compared to fixing a bug in software?

Flaws typically require significant restructuring of both problematic code and dependent code

In the context of software security, what could be the consequence of failing to sanitize user-supplied input used in a database call, resulting in SQL injection?

Disclosure of secrets

What is the significance of developing safe software from the beginning in the context of application security?

Eliminates the need to add extra security components later on

What do taxonomies achieve in the context of software security?

Divide a body of information and establish links between things

Why might vulnerabilities remain unfixed in certain circumstances, leaving the system vulnerable to security issues?

Vulnerabilities cannot be fixed, leading to system insecurity

What is the primary function of physical security controls in a Defense in Depth (DiD) approach?

To protect IT systems and physical assets from tampering and unlawful access

What is the main purpose of administrative security controls in the context of Defense in Depth (DiD)?

To govern access to internal systems and sensitive data

What is the primary role of technical security controls in a Defense in Depth (DiD) strategy?

To avoid network and application-based vulnerabilities

What is the potential consequence of a single point of failure in a security solution?

A compromised network or system leading to hacking or harm

What do existing DiD methods encompass based on the provided information?

Physical, technical, and administrative security controls only

What is the primary focus of technical security controls as part of a Defense in Depth (DiD) approach?

Avoiding data breaches and DDoS attacks

What is a recommended solution to prevent injection vulnerabilities?

Use server-side input validation that is affirmative

What does secure design aim to achieve in software development?

Regularly evaluate risks and ensure that code is securely constructed

What is a characteristic of Insecure Design according to the text?

Absence of business risk profiling intrinsic to the software

What is the primary purpose of the OWASP Software Assurance Maturity Model (SAMM)?

Prevent known attack techniques

What is an essential element of a safe development lifecycle according to the text?

Regularly evaluate risks and ensure that code is securely constructed

What is the significance of threat modeling in secure software development?

To validate assumptions and enforce requirements for appropriate conduct

What is the essential purpose of OWASP's top 10 list?

To categorize and highlight the most critical vulnerabilities in web applications

What is the best solution to minimize access control vulnerabilities?

Reinforce business limit constraints specific to each application

Why is it important to identify sensitive data according to privacy laws and business requirements?

To ensure compliance with data protection regulations

What is the key recommendation for encrypting in-transit data to prevent cryptographic failures?

Utilize standard algorithms, protocols, and keys

How can access control failures be minimized?

Access control failures should be logged

Why is it crucial to disable directory listings on the webserver?

To prevent unauthorized access and exposure of files

What is the primary purpose of the MITRE ATT&CK framework?

To identify and classify security threats and tactics

What is the role of MITRE in relation to security?

Running federally financed research and development centers

Why does an application become vulnerable if frequent vulnerability scans are not performed?

Due to unknown versions of components

What is the purpose of a segmented application architecture?

To effectively separate components or tenants securely

What is the significance of a repeatable hardening procedure?

It ensures identical configurations for all environments

How does the MITRE ATT&CK framework focus on detections?

By explaining how detections happen without vendor-specific focus

Why is it important to limit resource usage by user or service?

To ensure efficient and secure operation of the system

What is the significance of conducting vulnerability scans for an application?

It identifies unknown versions of components and hierarchical dependencies

Why is it crucial to implement a segmented application architecture?

To effectively and securely separate components or tenants

Which database aids developers in the discovery of threats to open-source projects on the GitHub platform?

GitHub Advisory Database

What is the primary purpose of CodeQL?

To automate security checks and variant analysis

What do security engineers use a variant analysis for?

Identifying potential vulnerabilities across multiple codebases

What is the primary focus of secure application development training?

Teaching developers how to write safer code

What is a data breach defined as?

Taking information from a system without the owner's knowledge or consent

Why is it ineffective to hand over software to security engineers for testing and fixing vulnerabilities?

Developers understand the software more than anyone else

What does OWASP define as an application security vulnerability?

An implementation bug that allows an attacker to harm a stakeholder

What is an essential phase in reducing the risk associated with software vulnerabilities?

-yearly secure development training

What is the significance of annual training for software developers?

-refresh their skills and inform them of the most current threats

What is the primary goal of the 2021 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses (CWE Top 25)?

To illustrate the most dangerous software weaknesses encountered in the past two years

What is the main objective of the Common Weakness Enumeration (CWE)?

To prevent vulnerabilities at the source through training

Why are the 2021 Common Weakness Enumeration (CWE) Top 25 vulnerabilities considered dangerous?

They allow adversaries to seize total control of a system or steal information

Who does the Common Weakness Enumeration (CWE) primarily aim to train in order to prevent vulnerabilities?

Software and hardware architects, designers, programmers, and acquirers

What is the significance of the CWE List and classification taxonomy?

To act as a vocabulary for identifying and describing various CWE-based problems

What is the primary focus of the MITRE ATT&CK framework?

To provide a knowledge base for understanding adversary behavior

What does the Health Insurance Portability and Accountability Act (HIPPA) primarily aim to achieve in relation to personal health information (PHI)?

To ensure the confidentiality and integrity of PHI

What is the essential purpose of OWASP's Software Assurance Maturity Model (SAMM)?

To provide a framework for building security into software development processes

What is an important aspect that project managers, developers, testers, users, security researchers, and educators should understand by referring to the 2021 Common Weakness Enumeration (CWE) Top 25?

The most severe and current security vulnerabilities

What is a crucial aspect that Defense in Depth (DiD) strategy addresses?

Ensuring that multiple layers of security are in place

What does vulnerability scanning for an application help in achieving?

Detecting and addressing potential security weaknesses

Why is it important to identify sensitive data according to privacy laws and business requirements?

To ensure regulatory compliance only

Study Notes

• Computing systems play a significant role in our daily lives, requiring assurance of their accessibility, integrity, and confidentiality.
• The CIA triad (Confidentiality, Integrity, Availability) forms the foundation of every organization's security architecture.
• Confidentiality ensures that private information remains confidential and is accessible only to authorized individuals.
• Integrity guarantees the accuracy, completeness, and dependability of information, as well as the prevention of unauthorized changes.
• Availability ensures that information is accessible to authorized users.
• Non-Repudiation is a property of cryptographic digital signatures that demonstrates the authenticity of a digital transaction.
• Threats in cybersecurity are occurrences or events that have the potential to cause harm to a system or organization.
• Threat actors are entities, such as individuals or groups, that execute cyber threats.
• Vulnerabilities are systemic weaknesses that make the consequences of threats more dangerous.
• Impact refers to the level of damage that can be anticipated from a breach of confidentiality, integrity, or availability.
• Risks are situations that must be prevented, taking into account both the probability of occurrence and the severity of the impact.

Description

Test your knowledge of cybersecurity fundamentals such as the CIA triad, confidentiality, integrity, availability, non-repudiation, threats, threat actors, vulnerabilities, impact, and risks.