DEVSECOPS – SECURING THE CI/CDPIPELINE & CONTINUOUS SECURITY

Questions and Answers

What method did the hackers use to compromise the SolarWinds software supply chain?

Unauthorized access to SolarWinds servers

Malicious injection into software updates (correct)

Social engineering attacks on SolarWinds employees

Denial of service attacks on SolarWinds infrastructure

What is the NPM Node Package Manager primarily used for?

Managing financial transactions

Storing personal documents

Organizing email communication

Exchanging software packages (correct)

What is the purpose of Scopes in NPM Node Package Manager?

Creating data backups

Monitoring system performance

Grouping similar software development packages (correct)

Managing user profiles

How did the attackers achieve unfettered package change under a Scope in NPM?

Using a specially written pull request

What type of vulnerability led to remote code execution in Cloudflare?

Unsafe zip archive extraction

What is the primary goal of security in the pipeline (SIP) according to the text?

Discovering defects and errors in the code

What are some of the important benefits of continuous integration and continuous delivery/deployment (CI/CD)?

Saves time for developers and allows more time for code creation

Why is security often a concern in the CI/CD pipeline?

CI/CD is quick, but security measures are typically slow

How does DevSecOps aim to change the speed and delivery of software security?

By integrating security controls as part of the software being developed

Why is it critical for developers to understand what is happening during software development and deployment in the context of security?

To ensure that security is not compromised in the development and deployment process

What role does DevSecOps play in the development and deployment process?

It aims to integrate security as a design constraint in the software being developed

What does CI/CD save an enormous amount of for developers?

Time

What makes CI/CD pipelines a desirable target for adversaries?

They manage the whole software lifecycle

How can attackers potentially exploit the trust connection between code repositories and servers in CI/CD pipelines?

By exploiting code modifications and commits

Why are containers considered a secure solution for executing programs in CI/CD pipelines?

They are isolated from each other

What is a supply chain assault in the context of CI/CD pipeline security?

An attempt to spoof users through third-party software

What is the significance of the SolarWinds Orion supply chain breach?

It infiltrated networks, systems, and data of thousands of organizations

What made SolarWinds a valuable target for the supply chain assault?

Its privileged access to IT systems and extensive deployment

What is the purpose of a Web Application Firewall (WAF)?

To safeguard web applications by filtering, monitoring, and blocking harmful HTTP/S traffic

Which type of WAF implementation is typically the most expensive and requires physical equipment?

Network-based WAF

What is the main advantage of a cloud-based WAF?

Low upfront cost and continuous updates without additional effort or cost

What does Runtime Application Self-Protection (RASP) technology perform?

A server-based technique that activates when an application is launched to identify and stop real-time attacks

What is the purpose of Continuous esecurity?

To swiftly identify, prioritize, diagnose, and fix performance problems interfering with regular service operation

What does Hypertext Transfer Protocol Secure (HTTPS) refer to?

HTTP over transport layer security (TLS) or HTTP over secure socket layer (SSL)

What is the main purpose of Cloud Security Posture Management (CSPM)?

Automating risk assessment and mitigation across different cloud systems

What is the primary focus of Security Around the Pipeline (SAP)?

Protecting the pipeline from being bypassed

Why is continuous security integration crucial for contemporary systems?

To continually safeguard infrastructure and applications

What is the primary function of Kubernetes in the context of software security?

Simplifying container orchestration technology

Why is it necessary to include continuous security validation into CI/CD pipelines?

To detect holes and misconfigurations in the code

What does Security of the Pipeline (SOP) primarily focus on protecting?

The posture of system processes targeted by malware

What is the primary function of RASP in the context of application security?

To identify and resolve security issues within the application

In which mode does RASP attempt to prevent security issues from occurring?

Protective mode

How do developers implement RASP using function calls found in an app’s source code?

By accessing the RASP technology

What is the ultimate effect of implementing RASP in an application's security?

It combines a firewall with the program’s runtime environment

What is the primary purpose of application security monitoring?

To notify administrators of malicious activity

What capability is unavailable to security solutions that operate 'outside' apps?

Identifying strange activities that contradict business principles

What advantage do application security monitoring solutions have over embedding monitoring code into each application?

They have extensive knowledge and expertise on attacks and abuses

What is the primary function of logging in an application?

To ensure compliance with security laws

What is the primary purpose of Incident Response?

To promptly detect and stop attacks

What is the primary objective when Containment of attackers and incident activity is performed?

To reach this level as soon as possible to limit the amount of damage caused

What is the significance of Incident Response Frameworks?

They assist companies in the creation of standardized response strategies

Why is a risk assessment conducted during the Preparation of processes and systems phase of Incident Response?

To prioritize the protection of high-priority assets

What is the main focus during the Identification of occurrences phase of Incident Response?

To detect and identify any unusual behavior using tools and processes specified during the planning phase

What is typically performed during Short-term containment as part of Incident Response?

Imminent threats are contained in situ

What is the primary function of the National Institute of Standards and Technology (NIST) incident response methodology?

To develop an IR plan and an IR team

1

It provides instructions on how to develop a communication plan and training scenarios.

What is typically performed during Short-term containment as part of Incident Response?

Imminent threats are contained in situ.

What is the primary responsibility of a cloud computing provider according to the shared responsibility model?

Providing services and storage such as the virtualization layer, disks, and networks

What is the primary role of bug bounty programs in proactive security management?

Crowdsourcing security knowledge via a formal program and paying rewards for defects discovered

What is the responsibility of users in the software as a service (SaaS) model of cloud computing?

Protecting the security of the subscriptions and login credentials of their users

What is the primary function of Red teaming exercises in cybersecurity?

Simulating cyberattacks to identify vulnerabilities

Which type of cloud service model places more security responsibilities on the users as they go from SaaS to PaaS and to IaaS?

Infrastructure as a service (IaaS)

What is the purpose of hiring white-hat hackers in bug bounty programs?

Uncovering previously undisclosed vulnerabilities

What is the main responsibility of a company's IT staff and employees in a shared responsibility model for cloud security?

Accountable for the security of that infrastructure, as well as the applications and data that run on it

What is the primary focus of Red Hat’s Ansible Playbook in the context of patching process automation?

Ensuring correct and consistent application of fixes by automating patching process

"Traditional information security checked for security at the conclusion of an application, whereas continuous security tests for security in parallel from start to finish" – Which concept does this statement refer to?

Continuous security

What are the four stages of the incident response framework according to Cichonsk et al. (2012)?

Preparation, Detection and analysis, Containment, Post-incident activity

What is a key contribution to cybersecurity by SANS?

Incident Response Framework

What is the process of revealing security vulnerabilities in computer software or hardware known as?

Vulnerability Disclosures

What do patches modify in an operating system, platform, or application?

Existing software

What is the primary purpose of patch management in systems administration?

To protect against malware and cyberattacks

Which entity implemented the coordinated vulnerability disclosure (CVD) concept?

Microsoft

What does automating patch management help to reduce?

Human errors

What is the primary advantage of combining patch management with automation technologies?

Limited human errors

What type of vulnerabilities do bug bounties and vulnerability rewards programs aim to address?

Software vulnerabilities

Which organization collaborated on security-related research and public education to present the SANS incident response framework?

SANS

What is the main benefit of using logs to test apps prior to deploying them into production?

Identifying security flaws before they become exploitable vulnerabilities

What is the direct impact of the length of time a vulnerability remains exploitable?

Financial, brand, and consumer trust costs

How does logging and effective log management contribute to improving collaboration between teams?

By enabling real-time monitoring and coordination of modifications

What is the primary role of logs in the context of application security?

Identifying security flaws before deployment

Why is the use of logs important in the context of software development and deployment?

To prevent vulnerabilities from entering production environments

What aspect does effective log management aim to enhance in the context of application development?

Coordination between development and IT operations teams

What impact does the presence of vulnerabilities in deployed applications have on other team members?

It saves time that would have been spent detecting them

Why might vulnerabilities delivered into production remain exploitable for several hours or even days?

Owing to the absence of effective log management

What is the primary purpose of a top-tier log management application in the context of application security?

To identify security flaws before deploying apps into production

How does log management contribute to reducing costs related to security flaws?

By minimizing financial costs through efficient log analysis