General Programming Failures: Static Test Tools and Common Vulnerabilities

Questions and Answers

What is the purpose of using static test tools for source code?

• To ensure the code is compiled correctly
• To minimize the size of the source code
• To debug the source code
• To identify and address common vulnerabilities and issues in the code (correct)

What are some examples of failures that can result from insufficient transport layer protection?

• Insecure cryptographic storage
• Use of a one-way hash without a salt
• Hard-coded credentials and missing encryption of sensitive data (correct)
• Improper error handling

What is cryptographic agility?

• The ability to break cryptographic algorithms without recompiling
• The ability to encrypt data using multiple overlapping algorithms
• The ability to decrypt data without knowing the cryptographic key
• The ability to manage specific cryptographic functions embodied in configuration files (correct)

What is the significance of ensuring common errors are cleared prior to each build?

It is an essential mitigation step in application development (C)

What are some of the issues that a static code scanner can find?

Errors like off by one or failure to properly initialize (D)

What type of attacks can result from insecure cryptographic storage?

Use of a broken or risky cryptographic algorithm (C)

How does cryptographic agility assist in managing cryptography?

By managing cryptographic functions embodied in code without recompiling (A)

What is the potential consequence of improper error handling?

Exposing sensitive data to unauthorized access (D)

Why is it important to use static test tools for source code?

To identify and mitigate common vulnerabilities and issues in the code (D)

What are some examples of failures in the application of cryptography?

Using a broken or risky cryptographic algorithm (D)

What are some examples of vulnerabilities that a static code scanner can find?

Obsolete libraries and failure to properly initialize (B)

How does insufficient transport layer protection contribute to failures in application security?

By enabling the download of code without integrity check (A)

What is the potential impact of insecure cryptographic storage?

Failed protection for data and programs (B)

Why is ensuring that common errors are cleared prior to each build considered an essential mitigation step?

To eliminate vulnerabilities such as off by one errors and improper initialization (B)

What is cryptographic agility and how does it contribute to managing cryptography?

The ability to manage the specifics of cryptographic function embodied in code without recompiling, typically through a configuration file; it assists in doing this without replacing the code itself. (D)

Which failures can result from improper error handling?

Errors like off by one and failure to properly initialize (D)

What types of attacks can result from insecure cryptographic storage?

Use of a broken or risky cryptographic algorithm and download of code without integrity check (A)

What is the significance of using static test tools for source code?

To screen code for a wide variety of issues and ensure common errors are cleared prior to each build (C)

What are some examples of failures in the application of cryptography?

Missing encryption of sensitive data and use of a one-way hash without a salt (C)

How does cryptographic agility assist in managing cryptography?

By assisting in switching from an insecure to a more secure algorithm without recompiling the code itself (A)

What is the main concern during sustainment in terms of software security?

Failure to issue patches or updates promptly (B)

What is the significance of maintaining session state information in web applications?

To sustain the session state information in stateless HTTP protocol (A)

According to Carlos Lyons, what is the potential impact of a vulnerability in an application?

Exploitation of a network or a host (D)

Which type of attack is commonly directed towards the web application layer, according to the Gartner Report?

Cross-site Request Forgery (CSRF) Attack (D)

What contributes to the exposure of software vulnerabilities during operation?

Failure to apply necessary patches and updates (A)

What is the difference between an attack and an exploit?

An attack refers to the action against the targeted software, while an exploit refers to the mechanism by which that action is carried out. (B)

How can developers compromise the dependability and trustworthiness of software during development?

By intentionally corrupting the software through malicious code. (A)

What is a prerequisite for maliciousness according to threat categorization?

Intentionality (D)

What can happen if those responsible for distributing software fail to tamperproof it before shipping?

The software may be compromised, compromising its dependability and trustworthiness during deployment. (B)

What do we need to do to ensure software security, as mentioned in the text?

Eliminate bugs and design flaws, and/or make them harder to exploit. (C)