ITSS4360 Module 12: Web Application Security

Questions and Answers

What is the primary purpose of adding a salt to a password before hashing?

To ensure that all passwords are stored in the same format.

To save storage space for the password hashes.

To enhance the randomness of the hash and protect against duplicate password identification. (correct)

To directly encrypt the passwords for safer storage.

Which phase of the Incident Response framework involves selecting an IR framework and preparing tools?

Preparation (correct)

Detection and analysis

Post-incident activity

Containment, eradication and recovery

What is included in an Incident Response Plan (IRP)?

A set of documented procedures and guidelines for incident response. (correct)

Detailed technical specifications for hardware upgrades.

A list of all users with administrative access.

Financial projections for future cybersecurity investments.

Which of the following best describes the IR Team?

A cross-functional team assembled to respond to incidents with diverse representatives.

Which of the following tools is used during the Detection and Analysis phase to identify vulnerabilities?

A vulnerability scan software

What is the main objective of the containment phase in the NIST incident response process?

To secure networks and systems to prevent further damage from an incident.

In the context of Incident Response, what is meant by 'post-incident activity'?

The evaluation and analysis of the incident after it has been resolved.

Which of the following statements about Incident Response is FALSE?

Incident Response processes only take place after an incident has occurred.

What is security orchestration primarily focused on?

Integrating data from various security systems

Which of the following tasks is NOT typically automated by a SOAR system?

Filling out administrative paperwork

How does SOAR improve threat detection?

Through integration of threat intelligence feeds

What is the primary goal of penetration testing?

To test a system's robustness against unauthorized access

What role does automation play in SOAR?

It reduces the time to manually respond to incidents.

What is a bug bounty program in the context of penetration testing?

A way for software vendors to incentivize testers for identifying vulnerabilities

Which of the following processes can be categorized under security automation?

Responding automatically to security incidents

What differentiates SOAR from traditional SIEM systems?

SOAR automates responses while SIEM focuses on log collection and analysis.

What is the primary function of the server in a web application?

To process requests and generate responses

Which of the following statements about websites is accurate?

Websites are typically built using HTML, CSS, and JavaScript.

What process occurs after the browser sends an HTTP request to the server?

The server uses a server-side component to process the request.

What does the server return to the browser after processing an HTTP request?

An HTTP response

How does the user interface update in a web application after a user interaction?

By sending a new HTTP request and receiving a new response.

What does API stand for in the context of web applications?

Application Programming Interface

Which component is responsible for data storage and retrieval in a web application?

Database

What is NOT a characteristic of a typical website?

Interactive user experience

What does API stand for?

Application Programming Interface

Which of the following accurately describes the role of an API server?

It validates and processes client requests.

What is one primary functional difference between a website and a web application?

Web applications manipulate data based on user input.

What kind of protocols do web applications typically use to communicate?

HTTP/HTTPS

In the context of APIs, what does the term 'Interface' refer to?

A set of rules governing application communication.

Which of the following is NOT a function managed by web applications?

Data visualization

What does a client do when it sends a request to the API server?

It includes parameters indicating the desired operation.

What type of information does API documentation typically provide?

Guidelines on structuring API requests and responses.

What is the primary method to prevent injection attacks?

Implement a safe API with a parameterized interface

Which strategy is NOT a recommended practice for preventing insecure design?

Integrate feedback loops within user interfaces

What is a crucial aspect of preventing security misconfiguration?

Establishing a repeatable hardening process

How can applications ensure that critical flows remain secure?

Implementing plausibility checks across application tiers

What should be done to improve environment security in development, QA, and production?

Use identical configurations and different access controls

Which option is NOT recommended for a secure application architecture?

Install all frameworks to enhance functionality

What role does resource consumption limitation play in application security?

It mitigates denial of service attacks

Which method can help verify the effectiveness of security configurations?

Automated processes to review configurations

What is the primary purpose of securing the originals during a forensic investigation?

To prevent any alterations to the original data.

During the examination step of digital forensics, what type of signs are investigators particularly looking for?

Cybercriminal activity.

What does digital evidence refer to in the context of a forensic investigation?

Electronic data of value stored or transmitted by a device.

What is a forensic snapshot used for in digital forensics?

To capture system data at a specific point in time.

Which of the following describes data volatility?

The duration data is retained without power.

Why are timestamps important in digital forensics?

They help track when data was created, accessed, or modified.

What is meant by a forensic artifact?

Any data that may potentially be used as digital evidence.

What does the order of volatility indicate in a forensic investigation?

The order of data collection based on how long data is retained.

Study Notes

Final Exam Prepper ITSS4360 MODULE 12

• The course is about web application attacks and security.
• The topics covered include modern vs. legacy applications, websites vs. web applications, how modern web applications work, frontend and backend, API, and web application security risks and attacks
• Modern applications use cloud computing, microservices, and containers, while legacy applications use older technologies and monolithic architectures.
• Modern applications are more agile, scalable, and secure, built with security in mind.
• Legacy applications are less agile, less scalable, and may have security vulnerabilities.
• Websites are primarily one-way informational feeds, while web applications have functionality and interact with users, storing and manipulating data based on user input.
• Web apps are accessed through a web browser, do not require installation, and handle user input.
• Modern web application operation follows a request-response cycle.
• The client (user's browser) sends an HTTP request to the web server.
• The server processes the request, retrieves data, and sends an HTTP response back to the client.
• Client-side components then render the response as a user interface.
• The frontend of a web application focuses on the user interface displayed in the browser, while the backend handles user input and data operations.
• Frontend is built using HTML, CSS, and JavaScript.
• Backend includes microservices, database, and APIs.
• APIs (Application Programming Interfaces) act as communication protocols for different software applications to exchange data and functions.
• API documentation explains the requests and responses to communicate between APIs.
• APIs operate over networks like the internet.
• Common web application security risks include Broken Access Control, Cryptographic Failures, Injection, Insecure Design, and Security Misconfiguration.
• To prevent Broken Access Control, enforce record ownership, deny by default for non-public resources, and log failures.
• Cryptographic failures can be mitigated by classifying sensitive data, not storing sensitive data unnecessarily, using up-to-date encryption, protocols, and keys, and encrypting data in transit.
• Preventing injection includes using safe APIs, server-side input validation to prevent malicious input from script execution, and using SQL controls like LIMIT.
• Secure development lifecycle is emphasized for secure design.
• Practices like plausibility checks across application tiers (front-end to back-end) and comprehensive testing with input from development and quality assurance (QA) professionals, as well as limiting resource consumption to enhance security, are vital to prevent insecure design.
• Repeatable security hardening, identical configurations across environments, automated systems setup, avoiding unnecessary features, and effective segmentation utilizing containerization or cloud security groups (ACLs) reduce security misconfiguration risks.
• Cryptography deals with protecting data confidentiality and integrity.
• A key is data used in tandem with a cipher (algorithm) to encrypt and decrypt data.
• Transposition & substitution are two examples of ciphers, which are methods of encrypting or decrypting messages.
• Symmetric encryption uses the same key for encrypting and decrypting.
• Asymmetric encryption uses a pair of keys—a public key for encryption and a private key for decryption.
• Digital signatures confirm sender authenticity.
• Hybrid encryption mixes symmetric and asymmetric methods.
• Digital certificates verify the authenticity of public keys for trust.
• Hashing creates a fixed-length string (hash) from any input. Hashing is different from encryption, and it's one-way.
• Salting unique data, adding random characters to each input before hashing increases security.
• Incident response is an organization's process to identify, contain, and mitigate the effects of security breaches.
• The process follows several phases, including preparation, detection and analysis, containment, and eradication and recovery, and post-incident activities.
• Digital forensics examines electronic data to understand and reconstruct incidents.
• In digital forensics, metadata is data about data.
• Forensic snapshots capture a system's state at specific times.
• Data volatility is about how long data remains on a device when power is removed.
• Right-to-audit is a legal clause enabling audits of business processes, often included in cloud services.
• Security assessments evaluate a system's security controls.
• Vulnerability scanners identify known vulnerabilities, prioritizing by severity.
• Common vulnerability databases, like CVE and NVD, list public vulnerabilities.
• Non-credentialed scans probe exposed services, while credentialed scans have access to internal components.
• Intrusive and non-intrusive scans are possible vulnerabilities scan types.
• Event management systems (SIEMs) analyze and correlate log data for threat detection.
• Security orchestration, automation, and response (SOAR) automates security actions.
• Penetration testing, or ethical hacking, is an authorized attack to evaluate security.
• There are three different types of penetration testing environments based on information provided to the penetration tester.
• Tactics, techniques, and procedures (TTP) analysis helps understand attacker's methods for better defense.
• Honeyfiles, honeypots, and honeynets trap attackers for analysis and understanding attacker tactics.

Description

Prepare for your ITSS4360 final exam with this comprehensive quiz on web application attacks and security. Explore the differences between modern and legacy applications, their architectures, and security risks. Test your knowledge on how web applications interact with users and the concepts of frontend, backend, and APIs.