Cybersecurity Principles Quiz

Questions and Answers

Faan yɔm kan ga nanka andi ta ba bo a yɔm n teriba?

Critique (correct)

Sensible (correct)

Public (correct)

Inaccessible

Les données critiques devraient avoir un accès permanent.

False

N ti ganda yɔm a yɔsɔn a ka rɔng na pɛ?

Changement incrémental

L’API d’administration ne doit pas être exposé à ______.

Internet

Mʉgʉ daŋ lɔng ke a yɔm na:

Résilience = Indépendance des couches logicielles Tests = Unitaires et d'intégration Documenter = Comment et pourquoi les changements Redondance = Éviter les pannes

Faan ba ɓi ga yɛn so yu n sɔdeshi?

Utiliser des conteneurs

La sécurité par défaut aide à tout bloquer d'abord.

True

Il faut tester l’_______ du système.

Résilience

Naan-yɛtɛ mɔdh a la nyi misa kɔ, bɔ bɛŋa daŋ ka yɛ bɔ mɔhɛ?

Conserver la demande dans un log

Les systèmes doivent toujours revenir à une version antérieure.

False

Quels types d'erreurs récupérable sont mentionnés?

Erreurs quelconques, erreurs accidentelles, erreurs logicielles, actions malveillantes.

Pour limiter les attaques DDoS, il est conseillé d'éliminer le trafic des ______ le plus tôt possible.

attaquants

Associez les éléments de récupération aux actions appropriées:

Désactiver des certificats = Révoquer l'accès Bloquer la connexion = Prévenir les actions malveillantes Renouveler les rôles = Assurer la flexibilité des systèmes Annuler les transactions = Inviter l'utilisateur à réessayer

Ki a yɛ ter taan mɔhɛ a la nyi mɔnda sahɛ?

CAPTCHA

Les décisions d’architecture n'affectent pas la robustesse du logiciel.

False

Qu'est-ce qu'il faut faire avant une revue de code?

Parcourir le code avec les développeurs.

Naa lî ì la yibrate ti bazin maxim ka a gnaw foga?

Fuzzing

Lè développement piloté par les tests ka kuma yâg'ima so kɔɔ ŋgâ gbirnè.

True

Nin lô tî bɔpɔn sa lyɛmɛ Chpey-ma naza?

Lè développement piloté par les tests

Fuzzing ka nîgiyɛ _______ bɔgɔ, nî bɔgɔ yimbia ka nîtï aktah.

tèng

Bar dawa ka a pyɔ nyongu na bɔgɔ sa a zīn.

Éviter des effets de bord = Diminuer les modifications non désirées Documenter l’utilisation du code = Créer une référence pour les développeurs Maîtriser les évolutions logicielles = Adopter des changements facilement Focus sur la fonctionnalité à développer = Cibler les besoins des clients

Dà sã togo kâ ki dâ yabrata sa fɔn fɔ ya tɛr?

Est simple à automatiser.

Lè Taint ka fo bo rɔ sɛb ale gam nɛ nda mɛti rɔŵe lan.

False

Boko wani lô sa naza ti yâg'ima?

Focus sur la fonctionnalité à développer.

A gɔng ku diɛl N dɔŋ yɔl ne ne? Nda nni Bɔgɔ?

Mɛbɔ dɔbɔgɔ

La revue de code permet d’identifier des très hauts bogues.

False

E ba N diɛl ɛvɛl ekɔ ne fɛ yɔl?

Eval

La revue de code permet d’identifier des _____ qui ne sont pas accessibles de l’extérieur.

flots

Gba mɛn a nyonti yɛ: (Match les outils avec leur description)

Fuzzing = Teste un logiciel avec différentes entrées Taint Based Analysis = Analyse des flux d’informations Instrumentation dynamique = Évalue le code pendant l’exécution Revue de code statique = Recherche de mots clés dans le code

N dɔŋ yɔl anisɔ a gɔng gɔng mots clés?

Mɛbɔ yɔl

Mɛn anndwe motikɔn a diɛl yɔl a na ɛngwɛ?

Peu de vrais positifs

Fuzzing yɔl nni ayi ɓambɛn gbe ne fɛ hɔlɛ.

True

C’est quoi l’un des avantages du TDD?

Permet d’identifier des menaces tôt dans le cycle de vie.

La revue de code est peu coûteuse.

False

Quels tests de sécurité doivent être effectués selon le développement piloté par les tests?

Validation des paramètres et encodage des commentaires.

Le TDD aide à __________ des menaces qui n’étaient pas déjà identifiées.

identifier

Associez chaque type de validation avec ses avantages ou inconvénients:

Checklist = Assure la traçabilité d'une menace TDD = Identifier tôt des menaces Revue de code = Précis et fiable Tests automatisés = Peut amener des faux positifs

Quel est un inconvénient des tests d'intrusion?

Ils sont difficiles à faire pour les cas généraux.

Les tests automatisés sont toujours peu dispendieux.

False

Pourquoi est-il difficile de faire un test de checklist pour les cas généraux?

Parce que c'est très dispendieux et complexe.

Mot de passe naana le so minimun yɛ kɛ 12 ɛnɛ?

12

Kɔkɔbɔ bɔyani na abɛtɔ mu na wɔmfa wɔn nan so nsɛm bi ka ho.

False

Mɛnna a, dɛn na ɛyɛ bɔkɔɔ pɛ a ɛda ho kwan ma nnuan no?

Ɛyɛ session pɛ na ɛnnɛ da ho kwan worɔ mu.

Mɛyɛ nsɛm no sɛ ebia ɛda ho kwan a, session no bɛ ______.

si

Dɛn na wɔnkɔfa ho nyansa to mu wɔ data management?

Access control

Akanfoɔ nyɛ data mu a yɛbɛtɔ ho kɔda ho.

True

Dɛn na ɛyɛ no kɛse wɔ data protection ho?

Confidentiality ne integrity.

Kɔtɔ da bi a akwan no ne ho nsɛm.

Confidentiality = Protection against unauthorized access Integrity = Protection from malicious alteration Error Handling = Quality audits Cryptography = Secure key access

Study Notes

CR440 - Security Application

• This course covers application security requirements.
• The course uses OWASP ASVS (Application Security Verification Standard).
• ASVS is a standard for web application security, guiding the development of secure web applications.
• ASVS is currently at version 4.0.3.
• It is structured into three levels, offering varying assurance levels.
• OWASP provides a guide for developers to test application security.
• Links to the OWASP guide for web security testing and the testing framework will be included in the accompanying notes.

OWASP ASVS I

• Focuses on architectural designs and threat modeling.
• Includes guidelines on system architecture, concerning factors like Availability, Confidentiality, Integrity, Non-repudiation, and Privacy.
• Includes requirement on authentication, specifically passwords.
• Minimum password requirements (e.g., 12 characters).
• Password changes and validation checks.

OWASP ASVS II

• Highlights session management and access control.
• Includes unique and non-guessable session IDs.
• Rules for removing sessions and invalidating them.
• Access control and well-defined roles and permissions.
• Prevention of reusability for roles and permissions.
• Secure handling of input, utilizing validation and encoding processes.

OWASP ASVS III

• Focuses on cryptography-related requirements.
• Encoding of output data for security purposes.
• Secure handling and functioning of cryptographic modules.
• Proper use of random number generators.
• Secure management of access keys.
• Error and auditing practices.

OWASP ASVS IV

• Addresses management of stored information.
• Security and classification-based handling of stored info.
• Temporary storage of logs.
• Data protection, considering Confidentiality, Integrity, and Availability.

OWASP ASVS V

• Focuses on communication security protocols.
• Using TLS for secure data transmission.
• Updated recommendations for configuration and implementations of cryptographic algorithms/methods.
• Mitigation techniques for outdated or weak cryptographic algorithms.

OWASP ASVS VI

• Application logic and threat mitigation.
• Preventing malicious URLs or redirects.
• Ensuring safe and predictable application logic.
• Safeguards against malicious logic attacks and automated attacks.

OWASP ASVS VII

• File management and web service security standards.
• Requirements for secure handling of data from untrusted sources.
• Specific controls and permissions for accessing and handling web services.
• Adequate authentication, session management, and authorization for all web services.

OWASP ASVS VIII

• Emphasizes secure deployments, including cloud deployments.
• Secure and repeatable deployment environments.
• Secure dependencies and components.
• Importance of default security configurations, requiring conscious overwriting.

Testing Requirements and Quality Assurance

• Quality assurance and testing are crucial aspects of the course.
• OWASP provides a web security testing guide.
• Guides for different aspects of security testing for web applications.

OTG (Testing Guide)

• This is a testing guide that will show how developers can approach testing.

Architectural Review

• UML diagrams are discussed, providing insights into data flow and security measures.
• Data flow diagrams (DFDs) are useful for identifying potential threats.

Design Principles

• Several principles from the book "Adkins, 2020" regarding secure software architecture are outlined, such as designing programs for least privilege, which protects the system.
• There are also considerations focused on enabling clear understanding of the programming logic, adapting to changes in how the system might be employed, resilience to unexpected events, and mitigation of denial-of-service (DDoS) attacks.

Least Privilege

• Access controls are critical and must be as limited as possible.
• External input should be treated cautiously and not fully trusted.
• Access control based on roles, risks, and necessary access levels.
• Micro-Service Approach is suitable for fine-grained security.

Making Code Intelligible

• Developers need to understand the logic and intended behavior of the system to effectively detect bugs and flaws.
• Creating secure systems is facilitated by employing practices that focus on clarity and maintainability.
• Adaptability to changes (e.g., update to requirements/specifications) should be planned in advance.

Changes Implementation

• Changes should be incremental, limited in scope, and individually documented.
• Comprehensive testing is necessary, including unit tests.
• Modularization and isolation of changes prevent negative impacts (e.g., side effects on other functionalities).
• Gradual and controlled deployment procedures.

Easier Changes

• Upkeep and regeneration of solution components, for instance, by ensuring that dependencies are maintained.
• Consistent use of automated testing helps minimize issues during code changes.
• Utilize containerization for increased isolation and reproducibility.
• Micro-services and various types of deployment scheduling strategies.

Resilience I and II

• Important to make software components independently resilient.
• Maintain separate units across the system to prevent interconnected failures.
• System's resiliency should be automated so that it works as expected in cases of failure.
• Implementing ways to restore functionality if/when failures occur.

Recovery Techniques

• Creating mechanisms to restore the system when errors occur.
• Methods for disabling or revoking features, processes, roles, or access control lists.
• Flexible deployment speeds.
• Return to previous versions.

DDoS Attacks

• Methods for mitigating DDoS attacks.
• Using caching proxies to handle traffic spikes.
• Efficient and carefully-designed query and data access practices.

System Design and Critical Choices

• Architectural choices have a significant impact on the stability and security of a system.
• System design and choices are based on a well-established strategy.

Code Review

• Importance of reviewing the code and related design documents before release.
• Testing for bugs, and checking for discrepancies that may have been missed.

Dynamic Code Review

• Utilizing dynamic code review tools are essential.
• Tools help find errors not likely detected otherwise.
• Important insights provided by a code review process.

Advantages and Disadvantages of Various Validation Methods

• Understanding the strengths and weaknesses of different validation methods (e.g., checklists, TDD, etc.).

Development Driven by Testing

• Describe the process of creating applications following this approach.

• Demonstrate the steps used in the creation of a new application using this approach.

• Explain how the approaches described enhance code quality and security.

Description

Test your knowledge on critical cybersecurity concepts. This quiz covers various aspects of security, error handling, and software robustness. Understand the best practices essential for protecting systems and data.