Secure Software Architecture

Questions and Answers

Explain the limitations of solely relying on Static Application Security Testing (SAST) for identifying vulnerabilities in a highly polymorphic and obfuscated codebase, particularly in scenarios where runtime behavior significantly deviates from static analysis.

SAST struggles with polymorphic/obfuscated code due to its inability to fully resolve dynamic behavior. Runtime deviations lead to false negatives, as SAST cannot accurately predict the program's actual execution flow and state.

Describe the challenges associated with implementing a hybrid security model that integrates both SAST and DAST, including strategies for resolving conflicting vulnerability reports and minimizing redundancy in testing efforts.

Challenges include reconciling differing results, avoiding duplicate tests, and managing the complexity of correlating findings across different testing methodologies to create a unified risk assessment.

What would be the effect on security posture of using a DAST tool against a system that implements aggressive rate limiting and account lockout policies?

DAST effectiveness might be hindered. Rate limiting can prevent thorough testing, and account lockouts can limit the scope of testing.

Suppose you discover a Cross-Site Scripting (XSS) vulnerability in a legacy application. Explain the trade-offs between applying contextual output encoding versus implementing a Content Security Policy (CSP) to mitigate the risk.

Output encoding is targeted but may miss cases; CSP provides broader protection but can be complex to configure, potentially breaking functionality if misconfigured.

Explain the implications of using a reverse proxy with inadequate input validation, focusing on how an attacker might exploit this setup to bypass security controls on the backend servers.

Inadequate validation allows attackers to craft malicious requests that are forwarded unchecked, bypassing backend security measures and potentially compromising the servers.

Discuss the challenges in applying traditional penetration testing methodologies to serverless architectures, emphasizing the need for novel approaches to assess function-level vulnerabilities and inter-function communication.

Traditional methods are insufficient due to the ephemeral nature of serverless functions. New approaches must focus on function-level exploits, API security, and IAM misconfigurations.

Describe the limitations of signature-based intrusion detection systems (IDS) in detecting sophisticated cyber attacks that utilize advanced evasion techniques such as steganography and polymorphic code.

Signature-based IDSs are ineffective against steganography and polymorphic code because these techniques alter the attack's appearance, bypassing the pre-defined signatures.

Explain the concept of 'data residency' in the context of cloud computing and discuss the legal and technical challenges in ensuring compliance with data residency requirements across multiple jurisdictions.

Data residency mandates data storage within specific geographic boundaries. Challenges include varying legal interpretations, complex data sovereignty laws, and technical difficulties in maintaining data segregation.

Discuss the security implications of using third-party APIs in a microservices architecture, focusing on the challenges of managing trust relationships and mitigating the risk of supply chain attacks.

Third-party APIs introduce trust dependencies. Managing this trust, ensuring API security, and mitigating supply chain risks are huge challenges.

What advanced strategies would an organization employ to mitigate advanced persistent threats (APTs) that have already breached the initial perimeter security, emphasizing lateral movement detection and data exfiltration prevention?

Strategies include continuous network monitoring, behavioral analysis, deception technology, and multi-factor authentication for lateral movement detection, combined with data loss prevention (DLP) mechanisms and egress filtering to prevent data exfiltration.

In a zero-trust network architecture, how can you implement and verify continuous authentication and authorization for users and devices, especially when accessing highly sensitive data or critical systems?

Employ continuous risk assessment based on behavioral biometrics, device posture, and contextual factors, coupled with dynamic authorization policies enforced through micro-segmentation and attribute-based access control (ABAC).

Explain the limitations of traditional signature-based Web Application Firewalls (WAFs) in protecting against zero-day exploits and how machine learning-based WAFs can overcome these limitations. What are the drawbacks of a machine learning approach?

Signature-based WAFs are ineffective against novel attacks. ML-based WAFs learn normal behavior and detect anomalies, improving zero-day protection. Drawbacks include false positives, training data bias, and resource intensiveness.

Imagine you are designing a system to protect against SQL injection. Detail a methodology to combine parameterized queries, least privilege accounts, and input validation in a secure manner.

Use parameterized queries server-side in the code. Limit database permissions and use input validation (escape/block bad characters). Regularly audited.

Outline advanced techniques to prevent Cross-Site Request Forgery (CSRF) attacks in Single Page Applications (SPAs) that rely heavily on JavaScript and APIs beyond the typical use of synchronizer tokens.

Implement double submit cookies with strong encryption, leverage the SameSite attribute effectively, and enforce strict origin validation combined with a robust Content Security Policy (CSP). Supplement with user interaction-based defenses where appropriate.

How should an organization design a comprehensive API security strategy that incorporates mutual TLS (mTLS), OAuth 2.0 with PKCE, and API gateways to create a multi-layered defense against unauthorized access and API abuse?

Implement mTLS for client authentication to the gateway, use OAuth 2.0 with PKCE for delegated authorization, and configure the API gateway for rate limiting, threat detection, and payload inspection.

Evaluate the effectiveness of using address space layout randomization (ASLR) as a standalone security measure against memory corruption vulnerabilities, particularly against advanced exploitation techniques like return-oriented programming (ROP).

ASLR alone is insufficient against ROP, which chains existing code snippets to bypass ASLR. It's most effective when combined with other mitigation techniques like DEP and stack canaries.

Elaborate on the complexities of ensuring data integrity in a distributed database system, considering the CAP theorem and the trade-offs between consistency, availability, and partition tolerance.

Achieving strong consistency can reduce availability. Guaranteeing partition tolerance adds complexity. Data integrity requires careful tuning of consistency levels, conflict resolution mechanisms, and robust auditing.

When creating code for a secure system, when is it advisable or inadvisable to build your own cryptography?

It is almost always inadvisable to build your own cryptography, with the rare exception of provably competent cryptographers working on specialized novel hardware.

What are the most current advances in homomorphic encryption, and what do they allow us to do that would not have been practical 10 years ago?

Advances in fully homomorphic encryption (FHE) enable computation on encrypted data without decryption, supporting complex operations like machine learning and database queries, significantly faster and more efficiently than a decade ago. However, they are still extremely computationally intensive.

Outline a strategy for implementing secure multi-party computation (MPC) in a financial transaction system that involves multiple banks, focusing on techniques to prevent collusion and ensure data privacy.

Use threshold cryptography to distribute key shares. Implement zero-knowledge proofs to verify computations without revealing inputs. Employ secure aggregation protocols to prevent data leakage.

Explain the concept of 'security by obscurity' and detail scenarios where it might provide a false sense of security. How would you advocate for its complete removal?

Security by obscurity relies on secrecy of design or implementation. It may provide limited, short-term protection but ultimately fails when the secret is revealed. Advocate for defense in depth, source code review, open standards, and penetration testing.

What modern memory protection schemes offer the best security guarantees and why, versus the security schemes offered 10 years ago?

Modern memory protection schemes like Intel's CET offer hardware-level enforcement, providing better guarantees against ROP/JOP attacks compared to software-based ASLR and DEP from 10 years ago.

Describe the challenges in implementing secure boot on embedded systems with limited resources and diverse hardware architectures, focusing on techniques to verify the integrity of the bootloader and operating system.

Challenges include constrained processing power, memory limitations, and platform diversity. Solutions involve cryptographic hashing, digital signatures, and hardware root of trust to ensure bootloader and OS integrity.

Explain the trade-offs between using full disk encryption (FDE) versus file-level encryption in terms of performance, security, and manageability across a large enterprise environment.

FDE encrypts the entire disk, offering comprehensive protection but potentially impacting performance. File-level encryption provides granular control but can be complex to manage and may leave metadata exposed.

Outline a comprehensive strategy for managing and mitigating the risks associated with shadow IT, including techniques for discovering unauthorized devices and applications, enforcing security policies, and educating users.

Use network monitoring, endpoint detection, and cloud access security brokers (CASBs) to discover shadow IT. Enforce policies via firewalls, intrusion detection, and access controls. Educate users about the risks.

Describe the steps involved in conducting a thorough security audit of a complex cloud infrastructure, including techniques for assessing compliance with industry regulations and identifying potential misconfigurations.

Define audit scope, review security policies, assess IAM configurations, analyze network security, conduct vulnerability scans, review logs, and verify compliance with relevant regulations.

How best to prevent race conditions from occurring in a multi-threaded or asynchronous application?

Race conditions can be tackled through the use of locks, semaphores, atomic operations if available in your language, and immutability if possible.

How does the concept of 'defense in depth' apply to secure software architecture. Provide an example.

Defense in depth is the idea that multiple layers of security are better than relying on a single security control. An example is a combination of WAF, rate limiting and strong authentication.

Discuss the challenges and solutions associated with securely managing cryptographic keys in a distributed microservices architecture, especially when dealing with frequent key rotation and diverse key types.

Challenges include key sprawl, complex access control, and key compromise. Solutions involve centralized key management systems (KMS), hardware security modules (HSMs), and automated key rotation policies.

Explain the concept of 'federated identity management' and describe its benefits and challenges in enabling secure access to resources across multiple organizations, focusing on trust establishment and interoperability.

Federated identity allows users to use the same credentials across multiple organizations. Benefits include improved user experience and reduced administrative overhead. Challenges include trust establishment, interoperability, and privacy concerns.

Describe the key differences between the AES, ChaCha20, and Serpent ciphers with respect to their security properties, performance characteristics, and suitability for different use cases.

AES is widely used, hardware-accelerated, but susceptible to side-channel attacks. ChaCha20 is faster in software, resistant to side-channel attacks, and suitable for mobile devices. Serpent is highly secure but slower.

A highly skilled penetration tester has discovered the ability to upload arbitrary files to a sensitive web server. Describe an advanced strategy for preventing code execution, including specific security controls to evade.

Apply strict file type validation, rename uploaded files, store files outside the web root, configure the web server to prevent execution, and use content security policy (CSP).

How do you perform data sanitization to prevent code injection in a system that accepts both Markdown and raw HTML input.

Sanitize Markdown by converting it to HTML and then sanitize this HTML using a whitelist-based HTML sanitizer. For raw HTML, use the same whitelist-based sanitizer.

Outline an advanced strategy for protecting against denial-of-service (DoS) attacks in a cloud environment, including techniques for detecting malicious traffic, mitigating attacks, and ensuring service availability.

Use traffic shaping, rate limiting, geo-filtering, and bot detection. Implement auto-scaling and load balancing to absorb traffic. Leverage cloud-based DDoS mitigation services.

What class of attack can input validation schemes be most easily bypassed, and how do you advise someone to prevent that?

Input validation schemes can be bypassed via encoding or other obfuscation techniques. To prevent this, normalize input before validation and use canonicalization.

Explain the security benefits of system call filtering in sandboxing architectures. What attacks does it prevent?

System call filtering limits the kernel operations a process can perform, preventing privilege escalation, arbitrary code execution, and information leakage by blocking unauthorized system calls.

Describe the challenges associated with implementing confidential computing techniques, such as Intel SGX, in a multi-tenant cloud environment. What attack mitigations are provided by an enclaved system?

Challenges include attestation, key management, and side-channel attacks. SGX provides memory encryption, code isolation, and remote attestation to protect sensitive data and code within enclaves, mitigating attacks like privilege escalation and data leakage.

What are the current weaknesses of the TLS protocol and how are they being addressed in the newest version?

Weaknesses include legacy cipher suites, vulnerabilities to downgrade attacks, and certificate validation issues. TLS 1.3 addresses these with stronger cipher suites, improved handshake protocols, and mandatory encryption.

In what situation might it be preferable to use blockchain cryptography over public-key cryptography?

In situations where there are multiple writers of data, such as multiple IoT devices, where you need to track the auditable state of data over time in the presence of untrusted parties.

How would you audit the use of a serverless system to know what data ingress and egress is occurring, and that no unintended access of data occurs?

Implement comprehensive logging, use function-level IAM policies, enable network segmentation, and utilize cloud-native security tools for continuous monitoring and threat detection across all function executions.

Flashcards

Secure Coding

Writing software to protect against vulnerabilities.

Why write secure code?

Protects data, enhances trust and ensures compliance.

Data Protection

Protecting sensitive information from damage or loss.

Cyber Attacks

Acts to steal, damage, or disrupt systems.

Static Application Security Testing (SAST)

Inspect source code for vulnerabilities without executing the program.

Dynamic Application Security Testing (DAST)

Tools to test security during application operation.

Vulnerability Assessment

A review of weaknesses in an information system.

Penetration Testing

A simulated cyber attack to check for vulnerabilities.

API Security

Security practices for application programming interfaces.

Cross-Site Scripting (XSS)

Malicious code injected into a trusted website.

Sandboxing

Isolates each application to prevent security risks.

Input Validation

Ensures input conforms to specified rules.

Sanitisation

Checking, cleaning, and filtering data inputs.

Study Notes

Secure Software Architecture

• Focuses on secure coding and reducing cyber attacks
• Requires understanding secure software architecture, IT infrastructure, hardware, software and systems

Secure Coding

• Involves writing software to protect against vulnerabilities
• Crucial for addressing cyber threats and security breaches in software development
• Involves proactive design and writing of code to prevent security vulnerabilities and reduce long-term costs of sensitive data leaks

Importance of Secure Code

• Minimises cyber attacks and vulnerabilities to protect data and systems
• Enhances trust, ensures regulatory compliance, improves business continuity
• Saves costs and can provide a competitive edge in the market

Key Concepts in Secure Software Architecture

• Data protection
• Cyber attacks
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Vulnerability assessment
• Penetration testing
• API security
• Cross-site scripting (XSS)

Data Protection

• Process of protecting sensitive information (Imperva 2024a)
• Secures data from unauthorized access with permissions set for only select users
• Maintains trustworthy, reliable, accurate, and complete data
• Ensures data is accessible and available when required

Cyber Attacks

• Actions performed by individuals with harmful intent to steal data or disrupt systems (Imperva 2024b)
• Involve malware, social engineering, man in the middle (MitM) attacks, denial-of-service (DoS), and injection attacks
• Include malware, phishing, SQL injections, zero-day exploits, and DNS tunneling

Static Application Security Testing (SAST)

• White-box tools used to inspect source code (Imperva 2024c)
• Testers have access to the underlying framework and design, which fixes vulnerabilities early in development
• Code is quickly analyzed and provides real-time feedback with graphical representations

Dynamic Application Security Testing (DAST)

• Black-box tools used to test products during operation (Imperva 2024c)
• Testers have no knowledge of the system's internals
• Tests focuses on evaluating the whole application and system
• Checks for vulnerabilities like XSS, SQL injection, and cookie manipulation

Vulnerability Assessment

• A systematic review of security weaknesses in an information system (Imperva 2024d)
• System weaknesses are evaluated by assigning severity levels and recommendations
• Involves host assessment of critical servers, network and wireless assessments, and database assessments

Penetration Testing

• A simulated cyber attack (Imperva 2024e)
• Tests for exploitable vulnerabilities
• Involves breaching of application systems, such as APIs and frontend or backend servers
• Tools used includes vulnerability scanners, web proxies, network sniffers, and password crackers

API Security

• Uses security practices related to Application Programming Interfaces (APIs)
• Manages API privacy and access control, and identifies and remediates API attacks
• Secures the client-side(web or mobile) application layer through public networks

Cross-Site Scripting (XSS)

• Runs malicious code as part of a vulnerable web application (Dizdar 2022)
• Aims to inject malicious code into a trusted website, which targets primarily the user (victim)
• Some examples includes British Airways, Fortnite and eBay

Vulnerabilities

• SQL injection
• Cross-site scripting (XSS)
• Cross-site forgery request (CSFR)
• Invalid forwarding and redirecting
• Memory management
• Session mismanagement
• Broken authentication
• Race conditions

Sandboxing

• Isolates each application, so it cannot pose a security risk by accessing system resources.
• Requires more resources, as each application requires its own container.
• Can limits the resource use of different processes running on the device.

Input Validation

• Input validation ensures input conforms to a set of defined rules.
• For example, the 'date of birth' field may require a date in the form dd/mm/yyyy.

Sanitisation

• Sanitisation involves checking, cleaning and filtering data inputs of any unwanted characters and strings to prevent the injection of harmful codes into the system.
• For example, is not allowed in usernames.